Reporting

How to get the average by two variables through a single accelerated report?

sravyav
New Member

Hi,

I need to calculate an average by two fields. Each event has the below values:

time variable1 variable2 countofevents

Example:

2016-04-23 14:30:00 Apple vendor1 3
2016-04-23 14:31:00 Apple vendor2 6
2016-04-23 14:30:00 Mango vendor1 8
2016-04-23 14:30:00 Apple vendor3 7

I need to find:
1) averages of countofevents by variable1
2) averages of countofevents by variable2

Can that be done using single report acceleration?

I tried doing:

index =x | stats avg(countofevents) by _time, variable1, variable2

Then 2 other searches which use report acceleration:

I tried doing:

index =x | stats avg(countofevents) as avg1 by _time, variable1, variable2 | stats avg(avg1) by _time, variable1

and

index =x | stats avg(countofevents) as avg1 by _time, variable1, variable2 | stats avg(avg1) by _time, variable2

The above didn't work because it is trying to do avg on average values again.

Is there any way I can get the required data by using single report acceleration instead of two?

Thanks
sravya

0 Karma
1 Solution

lguinn2
Legend

The following might work,but I don't know if it can be accelerated:

index = x 
| appendpipe [ stats avg(countofevents) as avg1 by variable1 | rename variable1 as "Var1 Heading" ]
| appendpipe [ stats avg(countofevents) as avg2 by variable2 | rename variable2 as "Var2 Heading" ]
| table "Var1 Heading" avg1 "Var2 Heading" avg2

View solution in original post

0 Karma

lguinn2
Legend

The following might work,but I don't know if it can be accelerated:

index = x 
| appendpipe [ stats avg(countofevents) as avg1 by variable1 | rename variable1 as "Var1 Heading" ]
| appendpipe [ stats avg(countofevents) as avg2 by variable2 | rename variable2 as "Var2 Heading" ]
| table "Var1 Heading" avg1 "Var2 Heading" avg2
0 Karma

sravyav
New Member

Thanks lguinn. it can be accelerated..

0 Karma
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...