If this doesn't make sense to you, feel free to ask questions. I need the days that don't have counts to still show so that they can be calculated into these averages. So if one IP doesn't have a count for 2 of the 7 days for example, then it will take 2 counts from the next IP and calculate that into the average for the original IP that was missing 2 days. Instead, it will use a different IP's count to fill in. This provides incorrect averages because if an IP doesn't have a count on a particular day, it won't include that day in the statistics table and it won't be calculated into the average. | where 3_Day_Average > 7_Day_Average * 1.5 If the part 'Result' is a first-level key, Splunk would have given you fields like Results.Message (which contains the information you are trying to parse), Results.Elapsed, Results.TraceLevel. In this section we will show how to use the stats command. That is the key to solving a data problem, regex or not. indexblahblah earliest-7d timechart span1d count by ip untable time ip count sort ip trendline sma3 (count) as 3DayAverage trendline sma7 (count) as 7DayAverage where 3DayAverage > 7DayAverage 1. The timechart command will fill in zeros for spans that have no data. With the way I phrased it, that may sound confusing, but let me show you what I have and why I'm having issues calculating the averages. The stats command calculates aggregate statistics over a dataset, such as average, count, and sum. indexcoll stats count by indexsort -count unless you are a) not talking about virtual indexes or b) have not kept to the naming convention. 1 Answer Sorted by: 2 Instead of stats, try timechart. I am looking for spikes in activity based on those two averages. I need to find where IPs have a daily average count from the past 3 days that is at least 150% larger than a daily average count from the past 7 days. 04-28-2016 07:31 AM I think I figured it out after some fiddling. main This is Splunks default index where all the processed data is stored. Not sure if I articulated my problem well in the title but let me elaborate here. The installation of Splunk creates three default indexes as follows.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |