SOLVED

Average EPS Count over 30 Days, Broken down into daily averages;

%3CLINGO-SUB%20id%3D%22lingo-sub-3060413%22%20slang%3D%22en-US%22%3EAverage%20EPS%20Count%20over%2030%20Days%2C%20Broken%20down%20into%20daily%20averages%3B%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3060413%22%20slang%3D%22en-US%22%3E%3CP%3EHey!%3C%2FP%3E%3CP%3EWe've%20recently%20moved%20from%20QRadar%20to%20Sentinel%20and%20we're%20currently%20trying%20to%20replicate%20our%20reports%20on%20Sentinel%2C%20but%20are%20struggling%20with%20Average%20EPS%20Count.%20Our%20previous%20queries%2C%20would%20query%2030%20days%20worth%20of%20%22all%20data%22%2C%20average%20the%20Events%20per%20second%20for%20that%20day%2C%20and%20do%20it%20for%20each%20day%20in%20those%2030%20days.%20With%20those%20numbers%2C%20we%20could%20make%20a%20chart%20into%20PowerBI.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Sentinel%2C%20I've%20only%20been%20able%20to%20get%20as%20far%20as%20getting%20an%20average%20EPS%2C%20which%20appears%20to%20be%20wrong%20anyway%2C%20but%20this%20is%20the%20KQL%20I%20used%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3Eunion%20withsource%3D_TableName1%20*%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(30d)%0A%7C%20summarize%20count()%20by%20bin(TimeGenerated%2C%201m)%2C%20Type%0A%7C%20extend%20counttemp%20%3Dcount_%20%2F%2060%0A%7C%20summarize%0A%5B'Average%20EPS'%5D%20%3D%20avg(counttemp)%2C%20%5B'Minimum%20EPS'%5D%3Dmin%20(counttemp)%2C%0A%5B'Maximum%20EPS'%5D%3Dmax(counttemp)%0A%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20probably%20quite%20obvious%20to%20someone%20why%20this%20isn't%20working%2C%20but%20any%20help%20would%20be%20good!%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20the%20main%20question%20I%20have%20is%2C%20how%20can%20we%20get%20a%20result%20out%20of%20a%20query%20in%20Log%20Analytics%2C%20to%20show%20a%20daily%20breakdown%20of%20the%20average%20EPS%20for%20that%20day%2C%20over%20a%20month.%20For%20example%2C%20the%20output%20should%20be%2030%20separate%20days%20(over%20the%20last%20month)%2C%20with%20a%20%22Average%20EPS%22%20per%20day%20listed%20so%20a%20chart%20can%20be%20made!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20any%20advice%20for%20this%3F%3C%2FP%3E%3CP%3EKind%20Regards%2C%3C%2FP%3E%3CP%3ECharlie%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hey!

We've recently moved from QRadar to Sentinel and we're currently trying to replicate our reports on Sentinel, but are struggling with Average EPS Count. Our previous queries, would query 30 days worth of "all data", average the Events per second for that day, and do it for each day in those 30 days. With those numbers, we could make a chart into PowerBI. 

 

In Sentinel, I've only been able to get as far as getting an average EPS, which appears to be wrong anyway, but this is the KQL I used;

union withsource=_TableName1 *
| where TimeGenerated > ago(30d)
| summarize count() by bin(TimeGenerated, 1m), Type
| extend counttemp =count_ / 60
| summarize
['Average EPS'] = avg(counttemp), ['Minimum EPS']=min (counttemp),
['Maximum EPS']=max(counttemp)

 

It's probably quite obvious to someone why this isn't working, but any help would be good! 

So the main question I have is, how can we get a result out of a query in Log Analytics, to show a daily breakdown of the average EPS for that day, over a month. For example, the output should be 30 separate days (over the last month), with a "Average EPS" per day listed so a chart can be made! 

 

Does anyone have any advice for this?

Kind Regards,

Charlie 

1 Reply
best response confirmed by CharlieK95 (Occasional Contributor)
Solution

@CharlieK95 

Two methods I used before: 

union *
// filter on last 30 whole days - midnight --> midnight 
| where TimeGenerated between ( startofday(ago(30d)) ..endofday(ago(1d)) )
// bin by 1d interval
| summarize count() by bin(TimeGenerated,1d), Type
    | extend avgEventPerDay  = count_ / 7
    | extend avgEventPerHour = avgEventPerDay / 24
    | extend eps    = avgEventPerHour /60
| project TimeGenerated, eps, Type
| render timechart with (title="EPS per day - per Table")

union *
// filter on last 30 whole days - midnight --> midnight 
| where TimeGenerated between ( startofday(ago(30d)) ..endofday(ago(1d)) )
// bin by 1d interval
| summarize count() by bin(TimeGenerated,1d), Type
    | extend avgEventPerDay  = count_ / 7
    | extend avgEventPerHour = avgEventPerDay / 24
    | extend eps    = avgEventPerHour /60
| summarize sum(eps) by TimeGenerated
| render timechart with (title="EPS - sum of all Tables")