Splunk Search

How to do average for differents persons

Abarny
Path Finder

Hi,

I have problem with an average, do you know how i can to do an average enter the max JourP and number where I have the ACResponse 200 but it's not for a single person. I need to do that for 8 persons differents on same times and do an average to this average for got just one number.
(Ex: Moyen= AppelID/max(JourP) where AppelId is 3 and JourP is 5)

alt text

I do that but I have a number truncated because i do average for day max and an average global and not personnal:

| table OCId ACResponse date_wday
| stats dc(date_wday) as nbpres, count as AppeID by ACResponse
| table nbpres,AppeID,ACResponse
| eventstats max(nbpres) as maxJourP
|eval MoyenNoDec=AppeID/maxJourP | where ACResponse="200" | table MoyenNoDec | stats avg(MoyenNoDec)

Thanks for your help

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Abarny,
sorry but I don't understand your need:
do you want a table like the one in your screenshot?
or do you need to format your number?
If you insert a stats command at the end of your search you have only this value,
if you need to add avg(MoyenNoDec) to your search you have to insert it in the previous stats command or insert with the values option in the last stats command the other values you have, in other words, something like this:
stats values(nbpres) AS nbpres values(AppleID) AS AppleID values(ACResponse) AS ACResponse avg(MoyenNoDec)
why in the last stats command there isn't the BY clause?

In addition, in your search you don't need to insert the table commands between stats commands, in this way your search is slower!

Bye.
Giuseppe.

View solution in original post

0 Karma

Abarny
Path Finder

I want to format a number. On screenshot, it's for one person but every Agent don't work 5 days, I do this table and just an average of all code 200 by maxJourP by Agent.
I want do that for différent person according to maxJourP and get average global.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Abarny,
sorry but I don't understand your need:
do you want a table like the one in your screenshot?
or do you need to format your number?
If you insert a stats command at the end of your search you have only this value,
if you need to add avg(MoyenNoDec) to your search you have to insert it in the previous stats command or insert with the values option in the last stats command the other values you have, in other words, something like this:
stats values(nbpres) AS nbpres values(AppleID) AS AppleID values(ACResponse) AS ACResponse avg(MoyenNoDec)
why in the last stats command there isn't the BY clause?

In addition, in your search you don't need to insert the table commands between stats commands, in this way your search is slower!

Bye.
Giuseppe.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Abarny,
OK, you can use appendcols or appendpipe commands

| your_search
| stats dc(date_wday) as nbpres, count as AppeID by ACResponse 
| eventstats max(nbpres) as maxJourP
|eval MoyenNoDec=AppeID/maxJourP 
| where ACResponse="200" 
| appendcols [ your_search | stats avg(MoyenNoDec)]

Bye.
Giuseppe

Abarny
Path Finder

Thanks you !

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...