Answers for "Can eval be used to calculate the standard deviation in multiple fields for a single event?"
https://answers.splunk.com/answers/474829/can-eval-be-used-to-calculate-the-standard-deviati.html
The latest answers for the question "Can eval be used to calculate the standard deviation in multiple fields for a single event?"Answer by gokadroid
https://answers.splunk.com/answering/473891/view.html
Since Standard deviation is calculated using average so I am assuming your field called `fieldsAvg` is the average of all the five fields. Which also makes me feel we can tweak your situation as follows:
- Make a new field called `myField` which has values from all the five fields. So if you have 3 events with 5 field values each, this new field will have 15 values to take care of all 5 fields for all 3 events.
- Calculate the stdev on this new field
your base query to return field1,field2,field3,field4,field5
| eval myField=mvzip(field1, mvzip(field2, mvzip(field3, mvzip(field4, field5))))
| mvexpand myField
| rex max_match=0 field=myField "(?<numbers>\d+)"
| stats stdev(numbers) as stdDeviationMon, 07 Nov 2016 21:21:35 GMTgokadroidAnswer by GregMefford
https://answers.splunk.com/answering/473887/view.html
You could improve your current solution by making a macro out of it, which would be easier to use and maintain across different searches without worrying about a typo causing one of them to behave differently.Mon, 07 Nov 2016 21:07:19 GMTGregMeffordAnswer by rjthibod
https://answers.splunk.com/answering/473845/view.html
My understanding is there is no `eval` function that will calculate the standard deviation for fields in the same row.
Most of the `eval` functions are designed to be performed across all of the rows against specific fields (e.g., the standard deviation for your field "field1").Mon, 07 Nov 2016 14:50:49 GMTrjthibod