Solved: Stats count and average

rhinomike · ‎01-23-2015

I have a log that more or less looks like:

 timestamp=1422006650  from=bob@sender.com to=alice@receiver.com subject="I love you honey" score=100 
 timestamp=1422007650    from=bob@sender.com to=alice@receiver.com subject="I love you honey" score=100 
 timestamp=1422008650    from=eve@sender.com to=alice@receiver.com subject="I loved him first" score=100
 timestamp=1422009650    from=eve@sender.com to=alice@receiver.com subject="I loved you first" score=50
 timestamp=1422009750    from=eve@sender.com to=alice@receiver.com subject="I loved him  first" score=10

I am now trying to perform a stats like

from                    subject                 count_to    avg_score
bob@sender.com          I love you honey       2       100
eve@sender.com          I loved you first      1       50
eve@sender.com          I loved him first      2       55

If I'm not mistaken, I can use:

stats count by from,to, subject to build the four first columns, however it is not clear to me how to calculate the average for a particular set of values in accordance with the first round of stats.

Is it possible?

aweitzman · ‎01-23-2015

This should work:

... | stats count as count_to avg(score) as avg_score by from subject

View solution in original post

aweitzman · ‎01-23-2015

This should work:

... | stats count as count_to avg(score) as avg_score by from subject

rhinomike · ‎03-01-2015

Solved it perfectly. Thanks

Stats count and average

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life