Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to do search median

thomas22966710
New Member
‎06-21-2017 09:42 AM

Hi

Ihave a question

this is input 

date       item   field_1     field_2  field_3
2016/01/01   x       1         2         3
2016/01/01   y       4         5         6

this I want the output

 date      item  median_field
 2016/01/01   x       2       
 2016/01/01   y       5

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎06-21-2017 03:33 PM

... | stats median(field_*) as median by date item

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎06-21-2017 03:33 PM

... | stats median(field_*) as median by date item

Reply
Solved! Jump to solution

DalJeanis
Legend
‎06-21-2017 08:46 PM

Nice. Assuming that the field names match a mask, that's much more succinct, and it has the feature that it will correctly calculate the median if there are multiple records for a time and item combination.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎06-21-2017 10:49 AM

Here's a run-anywhere example.

| makeresults
| eval mydata="2016/01/02,x,1,2,3 2016/01/02,y,6,4,5"
| makemv mydata | mvexpand mydata
| makemv delim="," mydata
| eval _time = strptime(mvindex(mydata,0),"%Y/%m/%d")
| eval item = mvindex(mydata,1)
| eval field1 = mvindex(mydata,2)
| eval field2 = mvindex(mydata,3)
| eval field3 = mvindex(mydata,4)
| table _time item field1 field2 field3
| rename COMMENT as "The above just generates test data"

| rename COMMENT as "We put together all the key fields we want to keep, in a single field."
| eval mykeystuff = _time."!!!!".item

| rename COMMENT as "We keep our key field, and all the numeric fields we want the median from."
| table mykeystuff field*

| rename COMMENT as "We untable to put the field names into field, and the field values into value, then calculate our median, ignoring the field names"
| untable mykeystuff field value
| stats median(value) as mymedian by mykeystuff

| rename COMMENT as "Now we unpack our key fields again"
| makemv delim="!!!!" mykeystuff
| eval _time = mvindex(mykeystuff,0)
| eval item = mvindex(mykeystuff,1)

| rename COMMENT as "And kill the combined key field, now that it's done its duty"
| table _time item mymedian

updated to use delim="!!!!" in case the item names have any spaces in them.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...