Reporting

How to get the average by two variables through a single accelerated report?

sravyav
New Member

Hi,

I need to calculate an average by two fields. Each event has the below values:

time variable1 variable2 countofevents

Example:

2016-04-23 14:30:00 Apple vendor1 3
2016-04-23 14:31:00 Apple vendor2 6
2016-04-23 14:30:00 Mango vendor1 8
2016-04-23 14:30:00 Apple vendor3 7

I need to find:
1) averages of countofevents by variable1
2) averages of countofevents by variable2

Can that be done using single report acceleration?

I tried doing:

index =x | stats avg(countofevents) by _time, variable1, variable2

Then 2 other searches which use report acceleration:

I tried doing:

index =x | stats avg(countofevents) as avg1 by _time, variable1, variable2 | stats avg(avg1) by _time, variable1

and

index =x | stats avg(countofevents) as avg1 by _time, variable1, variable2 | stats avg(avg1) by _time, variable2

The above didn't work because it is trying to do avg on average values again.

Is there any way I can get the required data by using single report acceleration instead of two?

Thanks
sravya

0 Karma
1 Solution

lguinn2
Legend

The following might work,but I don't know if it can be accelerated:

index = x 
| appendpipe [ stats avg(countofevents) as avg1 by variable1 | rename variable1 as "Var1 Heading" ]
| appendpipe [ stats avg(countofevents) as avg2 by variable2 | rename variable2 as "Var2 Heading" ]
| table "Var1 Heading" avg1 "Var2 Heading" avg2

View solution in original post

0 Karma

lguinn2
Legend

The following might work,but I don't know if it can be accelerated:

index = x 
| appendpipe [ stats avg(countofevents) as avg1 by variable1 | rename variable1 as "Var1 Heading" ]
| appendpipe [ stats avg(countofevents) as avg2 by variable2 | rename variable2 as "Var2 Heading" ]
| table "Var1 Heading" avg1 "Var2 Heading" avg2
0 Karma

sravyav
New Member

Thanks lguinn. it can be accelerated..

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...