cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Average EPS Count over 30 Days, Broken down into daily averages;

CharlieK95
Copper Contributor

‎Jan 13 2022 01:48 AM

‎Jan 13 2022 01:48 AM

Average EPS Count over 30 Days, Broken down into daily averages;

Hey!

We've recently moved from QRadar to Sentinel and we're currently trying to replicate our reports on Sentinel, but are struggling with Average EPS Count. Our previous queries, would query 30 days worth of "all data", average the Events per second for that day, and do it for each day in those 30 days. With those numbers, we could make a chart into PowerBI. 

 

In Sentinel, I've only been able to get as far as getting an average EPS, which appears to be wrong anyway, but this is the KQL I used;

union withsource=_TableName1 *
| where TimeGenerated > ago(30d)
| summarize count() by bin(TimeGenerated, 1m), Type
| extend counttemp =count_ / 60
| summarize
['Average EPS'] = avg(counttemp), ['Minimum EPS']=min (counttemp),
['Maximum EPS']=max(counttemp)

 

It's probably quite obvious to someone why this isn't working, but any help would be good! 

So the main question I have is, how can we get a result out of a query in Log Analytics, to show a daily breakdown of the average EPS for that day, over a month. For example, the output should be 30 separate days (over the last month), with a "Average EPS" per day listed so a chart can be made! 

 

Does anyone have any advice for this?

Kind Regards,

Charlie 

5,053 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by CharlieK95 (Copper Contributor)
Clive_Watson

‎Jan 13 2022 06:00 AM

‎Jan 13 2022 06:00 AM

Solution

Re: Average EPS Count over 30 Days, Broken down into daily averages;

@CharlieK95 

Two methods I used before: 

union *
// filter on last 30 whole days - midnight --> midnight 
| where TimeGenerated between ( startofday(ago(30d)) ..endofday(ago(1d)) )
// bin by 1d interval
| summarize count() by bin(TimeGenerated,1d), Type
    | extend avgEventPerDay  = count_ / 7
    | extend avgEventPerHour = avgEventPerDay / 24
    | extend eps    = avgEventPerHour /60
| project TimeGenerated, eps, Type
| render timechart with (title="EPS per day - per Table")

union *
// filter on last 30 whole days - midnight --> midnight 
| where TimeGenerated between ( startofday(ago(30d)) ..endofday(ago(1d)) )
// bin by 1d interval
| summarize count() by bin(TimeGenerated,1d), Type
    | extend avgEventPerDay  = count_ / 7
    | extend avgEventPerHour = avgEventPerDay / 24
    | extend eps    = avgEventPerHour /60
| summarize sum(eps) by TimeGenerated
| render timechart with (title="EPS - sum of all Tables")

 

0 Likes
Reply
FlyingCoffee

‎Nov 22 2022 03:19 AM

‎Nov 22 2022 03:19 AM

Re: Average EPS Count over 30 Days, Broken down into daily averages;

  

Why is the total event count of a day divided by 7?

| extend avgEventPerDay  = count_ / 7

 

@Clive_Watson

0 Likes
Reply
Clive_Watson

‎Nov 22 2022 10:34 AM

‎Nov 22 2022 10:34 AM

Re: Average EPS Count over 30 Days, Broken down into daily averages;

@FlyingCoffee 

 

hmmmm - good question, this was a while ago. I could well have pasted in something from my archive.

This would be better:

union *
| where TimeGenerated between ( startofday(ago(30d)) ..endofday(ago(1d)) )
| summarize count() by bin(TimeGenerated,1m), Type
| extend counttemp =count_ / 60
| summarize 
           ['Average Events per Second (eps)'] = avg(counttemp), ['Minimum eps']=min (counttemp),
           ['Maximum eps']=max(counttemp)
  by ['Table Name']=Type, bin(TimeGenerated,1d)
| order  by ['Average Events per Second (eps)'] desc
| render timechart with (title="EPS - sum of all Tables")

,  

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by CharlieK95 (Copper Contributor)
Clive_Watson

‎Jan 13 2022 06:00 AM

‎Jan 13 2022 06:00 AM

Solution

Re: Average EPS Count over 30 Days, Broken down into daily averages;

@CharlieK95 

Two methods I used before: 

union *
// filter on last 30 whole days - midnight --> midnight 
| where TimeGenerated between ( startofday(ago(30d)) ..endofday(ago(1d)) )
// bin by 1d interval
| summarize count() by bin(TimeGenerated,1d), Type
    | extend avgEventPerDay  = count_ / 7
    | extend avgEventPerHour = avgEventPerDay / 24
    | extend eps    = avgEventPerHour /60
| project TimeGenerated, eps, Type
| render timechart with (title="EPS per day - per Table")

union *
// filter on last 30 whole days - midnight --> midnight 
| where TimeGenerated between ( startofday(ago(30d)) ..endofday(ago(1d)) )
// bin by 1d interval
| summarize count() by bin(TimeGenerated,1d), Type
    | extend avgEventPerDay  = count_ / 7
    | extend avgEventPerHour = avgEventPerDay / 24
    | extend eps    = avgEventPerHour /60
| summarize sum(eps) by TimeGenerated
| render timechart with (title="EPS - sum of all Tables")

 

View solution in original post

0 Likes
Reply