Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the average based on fields.

theouhuios
Motivator
‎11-28-2012 08:12 AM

Hello

I think this should be simple enough but somehow I am not able to understand how to approach it.
Here is the search which I am using

sourcetype="xxxx" record.eventType="create"|stats count by record.affectedCI

and the data looks ;like. 

record.affectedCI   count

1 LT95DB10 1
2 SNMX2646005T 1
3 SNMX2649003N 1
4 SNMX265100A8 1
5 SNUSE717N4A3 1
6 SNUSE722N6PM 1

What I need to know is to find the average of count over all affected CI's. I did use the stats avr() but somehow that isn't giving me the output which I wanted. This shouldn't be difficult,just that I am not able to think on how to approach it now 😛

Regards

theou

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-28-2012 08:21 AM

if you want an average of all the counts you already calculated from the first search :

sourcetype="xxxx" record.eventType="create"|stats count by record.affectedCI | stats avg(count)

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-28-2012 08:21 AM

if you want an average of all the counts you already calculated from the first search :

sourcetype="xxxx" record.eventType="create"|stats count by record.affectedCI | stats avg(count)

Reply
Solved! Jump to solution

jviray
Explorer
3 weeks ago

Curious as to why stats has to be ran twice.  Even using table before stats doesn't work to get the proper average.

0 Karma
Reply
Solved! Jump to solution

Taruchit
Contributor
‎09-14-2021 06:47 AM

Hello Sir,

I tried following your post and tried to fetch average number of errors during 09/7/21 12:00:00:000 AM to 09/14/21 12:00:00:000 AM.

index=* <search condition>|stats count by error | stats avg(count) by error

I got two columns: error and avg(count). However, I am unable to comprehend how the values were calculated in second column. I tried taking the error counts for each day from 09/7 to 09/13, and calculated the average,  the result did not match with the result obtained from the search query. 

 

Thus, need your help to understand how the data was calculated and the steps to correct the query. 

Thank you

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎11-28-2012 08:26 AM

Strange. I did the same before but couldn't get the answer. I guess I mistyped something.

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎11-28-2012 08:21 AM

Add this 

... | eventstats avg(count) as avg_count
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...