https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/47557#M11352 <P>Strange. I did the same before but couldn't get the answer. I guess I mistyped something.</P> Wed, 28 Nov 2012 16:26:42 GMT theouhuios 2012-11-28T16:26:42Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/47554#M11349 <P>Hello</P> <P>I think this should be simple enough but somehow I am not able to understand how to approach it.<BR /> Here is the search which I am using</P> <PRE><CODE>sourcetype="xxxx" record.eventType="create"|stats count by record.affectedCI </CODE></PRE> <P>and the data looks ;like. </P> <PRE><CODE>record.affectedCI count </CODE></PRE> <P>1 LT95DB10 1<BR /> 2 SNMX2646005T 1<BR /> 3 SNMX2649003N 1<BR /> 4 SNMX265100A8 1<BR /> 5 SNUSE717N4A3 1<BR /> 6 SNUSE722N6PM 1</P> <P>What I need to know is to find the average of count over all affected CI's. I did use the stats avr() but somehow that isn't giving me the output which I wanted. This shouldn't be difficult,just that I am not able to think on how to approach it now <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> <P>Regards</P> <P>theou</P> Wed, 28 Nov 2012 16:12:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/47554#M11349 theouhuios 2012-11-28T16:12:20Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/47555#M11350 <P>Add this </P> <PRE><CODE>... | eventstats avg(count) as avg_count </CODE></PRE> Wed, 28 Nov 2012 16:21:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/47555#M11350 jonuwz 2012-11-28T16:21:32Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/47556#M11351 <P>if you want an average of all the counts you already calculated from the first search :</P> <P><CODE>sourcetype="xxxx" record.eventType="create"|stats count by record.affectedCI | stats avg(count)</CODE></P> Wed, 28 Nov 2012 16:21:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/47556#M11351 yannK 2012-11-28T16:21:55Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/47557#M11352 <P>Strange. I did the same before but couldn't get the answer. I guess I mistyped something.</P> Wed, 28 Nov 2012 16:26:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/47557#M11352 theouhuios 2012-11-28T16:26:42Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/566976#M197582 <P>Hello Sir,</P><P>I tried following your post and tried to fetch average number of errors during 09/7/21 12:00:00:000 AM to 09/14/21 12:00:00:000 AM.</P><LI-CODE lang="markup">index=* &lt;search condition&gt;|stats count by error | stats avg(count) by error</LI-CODE><P>I got two columns: error and avg(count). However, I am unable to comprehend how the values were calculated in second column. I tried taking the error counts for each day from 09/7 to 09/13, and calculated the average,&nbsp; the result did not match with the result obtained from the search query.&nbsp;</P><P>&nbsp;</P><P>Thus, need your help to understand how the data was calculated and the steps to correct the query.&nbsp;</P><P>Thank you</P> Tue, 14 Sep 2021 13:47:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/566976#M197582 Taruchit 2021-09-14T13:47:04Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/682049#M233042 <P>Curious as to why stats has to be ran twice.&nbsp; Even using table before stats doesn't work to get the proper average.</P> Tue, 26 Mar 2024 20:38:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-average-based-on-fields/m-p/682049#M233042 jviray 2024-03-26T20:38:56Z