Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to use appendpipe to add averages for a field to my table?

singhh4
Path Finder
‎08-29-2016 02:06 PM 
index=servers
|stats count AS Total avg(porcTotal) as porcTotal_Average avg(porc30) as porc30_Average avg(porc90) as porc90_Average by Delivery, VDC
|appendpipe[stats sum(Total) as Total|eval LS_Delivery="All"|eval LS_VDC="All"| eval porcTotal_Average="###" | eval porc30_Average="###" | eval porc90_Average="###"]

With the search above, I get the averages of fields porcTotal, porc30, and porc90 by Delivery and VDC which contain percentages. Appendpipe, of course, adds an extra row with anything I want. I would like to replace the "###" with the averages of the entire field. I've tried appendpipe[stats sum(Total) avg(porcTotal_Average) as porcTotal_Average...] but it only averages the numbers that are populated by the table and doesn't give me the correct numbers. I created what I was looking for in a pivot, so I know what numbers I should get. I need this search and not the pivot for some token things I want to do that I can't with a pivot.

Can anyone help?
Please and thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-29-2016 02:29 PM

Try append

index=servers
 |stats count AS Total avg(porcTotal) as porcTotal_Average avg(porc30) as porc30_Average avg(porc90) as porc90_Average by Delivery, VDC 
| append [search index=servers | stats avg(porcTotal) as porcTotal_Average avg(porc30) as porc30_Average avg(porc90) as porc90_Average | eval Delivery="All" | eval VDC="All"]

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-29-2016 02:38 PM

WHen you say "it only averages the numbers that are populated by the table and doesn't give me the correct numbers", do you mean you want to do simple average of (total values/number of rows), instead of (total of available values/number of available rows)?

0 Karma
Reply
Solved! Jump to solution

singhh4
Path Finder
‎08-30-2016 06:34 AM

Yes. that is it exactly. From what i am seeing, appendpipe uses only the available values. i need a way of using all values in a field.

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-29-2016 02:29 PM

Try append

index=servers
 |stats count AS Total avg(porcTotal) as porcTotal_Average avg(porc30) as porc30_Average avg(porc90) as porc90_Average by Delivery, VDC 
| append [search index=servers | stats avg(porcTotal) as porcTotal_Average avg(porc30) as porc30_Average avg(porc90) as porc90_Average | eval Delivery="All" | eval VDC="All"]
Reply
Solved! Jump to solution

singhh4
Path Finder
‎08-30-2016 06:31 AM

The row never appears

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-30-2016 06:39 AM

You see any errors/messages in the Job Inspector?

0 Karma
Reply
Solved! Jump to solution

singhh4
Path Finder
‎08-30-2016 07:12 AM

I got it to work. I was just missing a few filters and spelt a things differently but it works. Thank you!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-30-2016 06:42 AM

Try this run anywhere sample

index=_internal bytes=* earliest=-15m | stats avg(bytes) as b by status | append [search index=_internal earliest=-15m | stats avg(bytes) as b | eval status="All"]

If this works, try reducing the timerange of your search to 15mins.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...