https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419365#M120586 <P>I chose the <CODE>time_window</CODE> option based on your use of <CODE>timechart span=5h</CODE>, but you can use another option that works better for your use case.</P> Wed, 31 Jul 2019 18:21:33 GMT richgalloway 2019-07-31T18:21:33Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419362#M120583 <P>Hi guys,</P> <P>I am trying to compute and chart the cumulative moving average (ref. of what is it:<A href="https://en.wikipedia.org/wiki/Moving_average#Cumulative_moving_average">https://en.wikipedia.org/wiki/Moving_average#Cumulative_moving_average</A>)</P> <P>The point is that I am doing the following query:</P> <PRE><CODE>host=SARITA source="login.csv" | reverse | accum elapsed_time as cumulative_elapsed_time | timechart span=5h last(cumulative_elapsed_time) by server </CODE></PRE> <P>And what I get from it is the cumulative sum. Now what I still need is to get cumulative count (which means, for any "n" value, to get the amount n up to that point in time, but not the total amount of values of all that series), so I can divide the cumulative value by the cumulative count, thus having the cumulative average.</P> <P>Please help me with this, as I am really stuck on it. Thank you very much in advance for your patience.</P> <P>Best regards,<BR /> Brian</P> Wed, 31 Jul 2019 14:36:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419362#M120583 brdennehy 2019-07-31T14:36:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419363#M120584 <P>Use the <CODE>streamstats</CODE> command to count the events.</P> <PRE><CODE>host=SARITA source="login.csv" | reverse | streamstats count | accum elapsed_time as cumulative_elapsed_time | timechart span=5h last(cumulative_elapsed_time) by server </CODE></PRE> <P>Even better would be to let <CODE>streamstats</CODE> do the moving average for you.</P> <PRE><CODE>host=SARITA source="login.csv" | reverse | streamstats time_window=5h avg(elapsed_time) as AvgElapsedTime by server </CODE></PRE> Wed, 31 Jul 2019 15:15:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419363#M120584 richgalloway 2019-07-31T15:15:30Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419364#M120585 <P>Thanks!! I'll try the streamstats tomorrow.</P> <P>The problem with your suggestion of making streamstats to do the moving average for me is that the time window must be from the first measure until that point n in question, and not 5h....</P> Wed, 31 Jul 2019 15:26:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419364#M120585 brdennehy 2019-07-31T15:26:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419365#M120586 <P>I chose the <CODE>time_window</CODE> option based on your use of <CODE>timechart span=5h</CODE>, but you can use another option that works better for your use case.</P> Wed, 31 Jul 2019 18:21:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419365#M120586 richgalloway 2019-07-31T18:21:33Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419366#M120587 <P>Thanks man! I used the default (non specified) time-frame. I read that the limit is 10,000 events, but it's ok. I only have 2 events per day.</P> <P>Thank you very much!!!</P> Thu, 01 Aug 2019 07:47:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-cumulative-moving-average/m-p/419366#M120587 brdennehy 2019-08-01T07:47:25Z