Solved: Re: Why is stats avg() not putting in zeros by _ti...

kdimaria · ‎07-10-2018

I am trying to see the average users by day but when there are no events or users for a certain day the _time field doesn't show up or put a zero so the calculation is wrong. I am looking back the previous week so I should see Monday through Friday but I only see Monday Tuesday and Wednesday. I tried fillnull but that did not work. I want to see Thursday and Friday as 0 to calculate the avg correctly.

index=* | where isnotnull(user) | where date_wday!="saturday" AND date_wday!="sunday"| bin _time span=24h | stats dc(user) as Users  by _time| fillnull Users value=0 | stats avg(Users) as Users

pradeepkumarg · ‎07-10-2018

Use timechart instead

index=* | where isnotnull(user) | where date_wday!="saturday" AND date_wday!="sunday"| timechart span=24h dc(user) as Users

View solution in original post

pradeepkumarg · ‎07-10-2018

Use timechart instead

index=* | where isnotnull(user) | where date_wday!="saturday" AND date_wday!="sunday"| timechart span=24h dc(user) as Users

kdimaria · ‎07-10-2018

thank you 🙂

Why is stats avg() not putting in zeros by _time?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...