If this doesn't make sense to you, feel free to ask questions. 04-28-2016 07:31 AM I think I figured it out after some fiddling. I need the days that don't have counts to still show so that they can be calculated into these averages. So if one IP doesn't have a count for 2 of the 7 days for example, then it will take 2 counts from the next IP and calculate that into the average for the original IP that was missing 2 days. Instead, it will use a different IP's count to fill in. The name of the column is the name of the aggregation. stats sum (bytes) This search summarizes the bytes for all of the incoming results. This provides incorrect averages because if an IP doesn't have a count on a particular day, it won't include that day in the statistics table and it won't be calculated into the average. Calculate the sum of a field If you just want a simple calculation, you can specify the aggregation without any other arguments.
| where 3_Day_Average > 7_Day_Average * 1.5 With the way I phrased it, that may sound confusing, but let me show you what I have and why I'm having issues calculating the averages. A Regular Expression (regex) in Splunk is a way to search through text to find. I am looking for spikes in activity based on those two averages. Or, in the other words you can say it’s giving the first seen value in the raw field. how can I get Splunk index daily data volume size for a specific index thanks, Labels (1) Labels Labels: indexer clustering Tags (1) Tags: splunk-enterprise. Example:1 indexinfo table time,raw stats first (raw) Explanation: We have used stats first (raw), which is giving the first event from the event list. I need to find where IPs have a daily average count from the past 3 days that is at least 150% larger than a daily average count from the past 7 days. This function is used to retrieve the first seen value of a specified field. Not sure if I articulated my problem well in the title but let me elaborate here.
0 kommentar(er)
