Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting averages from 2 columns

dbcase
Motivator
‎01-23-2018 10:25 AM

Hi,

I have a query that looks like this

index=wholesale_app counter buildTarget=* product=* Properties.index=0 buildTarget=* product=*|convert num(Properties.args{}) as loginms|eval dura=loginms/1000|eval duration=ceil(dura)|where duration<=60|stats count as statscount by duration|sort duration|rename duration as "Login Duration in Seconds" statscount as "Number of times the Login Duration Occurred"| appendpipe [stats count | where count=0]

It makes a table that shows this

alt text

What I'd like to to is get an average number of seconds for login duration but using both columns. Example

1 second occurred 16 times so 1 second would have to be counted 16 times in the average.

Thoughts?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-23-2018 10:39 AM

Give this a try

 index=wholesale_app counter buildTarget=* product=* Properties.index=0 buildTarget=* product=*|convert num(Properties.args{}) as loginms|eval dura=loginms/1000|eval duration=ceil(dura)|where duration<=60|stats count as statscount by duration|sort duration| appendpipe [stats count | where count=0]
| eval noofsecs=statscount*duration | stats sum(noofsecs) as noofsecs sum(statscount) as totaloccurances | eval "Average number of secs per login"=round(noofsecs/totaloccurances,2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-23-2018 10:39 AM

Give this a try

 index=wholesale_app counter buildTarget=* product=* Properties.index=0 buildTarget=* product=*|convert num(Properties.args{}) as loginms|eval dura=loginms/1000|eval duration=ceil(dura)|where duration<=60|stats count as statscount by duration|sort duration| appendpipe [stats count | where count=0]
| eval noofsecs=statscount*duration | stats sum(noofsecs) as noofsecs sum(statscount) as totaloccurances | eval "Average number of secs per login"=round(noofsecs/totaloccurances,2)
0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎01-23-2018 10:44 AM

Hey Somesoni2!

Very nice solution! Thank you! (Again)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...