How to achieve average number of events per unit o...

bigll · ‎05-09-2022

Hi.

How I can compare load during the same time every day for business days?

I.e. time 11:oo AM - 7:00 PM on Monday, Tuesday -----, Friday
-----------------
Monday - 3200
Tuesday - 3300
Wednesday - 5400
Thursday - 3200
Friday - 3100
--------------------

TIA

richgalloway · ‎05-09-2022

Here's one way to get the figures for business hours.

| tstats count where index=foo earliest=-7d by _time span=1h
```Get the day of the count```
| eval day=strftime(_time,"%A")
```Get the hour of the count```
| eval hour=strftime(_time,"%H")
```Discard counts on weekends.  Keep only those during business hours```.
| where ((NOT day IN ("Saturday", "Sunday")) AND (hour>=11 AND hour<19))
```Total by day```
| stats sum(count) as count by day

What do you mean by "compare"?

---
If this reply helps you, Karma would be appreciated.

bigll · ‎05-10-2022

Hi. Thank you for the reply.
What I am trying to achieve is to see if let say number of request per server either much higher or much lower than typical load for the same time of the same day of the week.
I.e. a server team see CPU utilization spiked at 07:30 AM on Wednesday with no visible reason.
I would check if the number of connections in the same range as it was a week ago at 07:30 AM on last Wednesday or traffic is higher and could cause CPU spike.

TIA.

How to achieve average number of events per unit of time in different days of the week?

timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases