https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461976#M130229 <P>i tried updating to be above code.however it does not seem to give me the correct value .The existing values are not returning after the change .</P> <P>index=MY_INDEX JOB=JOBNAME earliest= -30d@d latest= now()<BR /> |dedup JOB,STATUS<BR /> | eval startTime= case("0"!=(strftime(_time, "%a %B %d %Y %H:%M:%S")) AND STATUS="RUNNING",strftime(_time, "%a %B %d %Y %H:%M:%S")),endTime= case("0"!=(strftime(_time, "%a %B %d %Y %H:%M:%S")) AND STATUS="SUCCESS",strftime(_time, "%a %B %d %Y %H:%M:%S")), terminateTime= case("0"!=(strftime(_time, "%a %B %d %Y %H:%M:%S")) AND STATUS="TERMINATED",strftime(_time, "%a %B %d %Y %H:%M:%S")) <BR /> | eval sTime=strptime(startTime,"%a %B %d %Y %H:%M:%S") <BR /> | eval eTime=strptime(endTime,"%a %B %d %Y %H:%M:%S") <BR /> | eval tTime=strptime(startTime,"%a %B %d %Y %H:%M:%S") <BR /> | eventstats latest(STATUS) AS STATUS BY JOB <BR /> | transaction JOB,startTime,endTime <BR /> | eval e_Time=if(STATUS="TERMINATED" OR eTime</P> Wed, 30 Sep 2020 04:07:56 GMT thomaap 2020-09-30T04:07:56Z https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461972#M130225 <P>below average function is not giving me the correct value for last 30 days.Kindly advise</P> <P>| eval sTime=strptime(startTime,"%a %B %d %Y %H:%M:%S") <BR /> | eval eTime=strptime(endTime,"%a %B %d %Y %H:%M:%S") <BR /> | eval tTime=strptime(startTime,"%a %B %d %Y %H:%M:%S") <BR /> | eventstats latest(STATUS) AS STATUS BY JOB <BR /> | transaction JOB,startTime,endTime <BR /> | eval e_Time=if(STATUS="TERMINATED" OR eTime</P> Wed, 05 Feb 2020 13:14:40 GMT https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461972#M130225 thomaap 2020-02-05T13:14:40Z https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461973#M130226 <P>I see no attempt to calculate an average in that SPL. What field do you want to average?</P> Wed, 05 Feb 2020 13:51:02 GMT https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461973#M130226 richgalloway 2020-02-05T13:51:02Z https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461974#M130227 <P>| eval stTime=strptime(startTime, "%a %B %d %Y %H:%M:%S") <BR /> | eval edTime=strptime(e_Time, "%a %B %d %Y %H:%M:%S") <BR /> | eval diff=edTime-stTime <BR /> | eval diff= round(diff/60,2) <BR /> | eval diff=edTime-stTime <BR /> | eval diff= round(diff/60,2) <BR /> | streamstats avg(diff) as average window=30 <BR /> | eval avrg=round(average,2) <BR /> looks like the entire query was not posted</P> Wed, 05 Feb 2020 14:21:02 GMT https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461974#M130227 thomaap 2020-02-05T14:21:02Z https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461975#M130228 <P>The <CODE>streamstats avg(diff) as average window=30</CODE> command will calculate the average diff over the previous 30 events, not necessarily 30 days. Try this, instead:</P> <PRE><CODE>&lt;compute diff&gt; | bucket span=30d _time | stats avg(diff) as average by _time | eval avrg = round(average, 2) </CODE></PRE> Wed, 05 Feb 2020 15:20:19 GMT https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461975#M130228 richgalloway 2020-02-05T15:20:19Z https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461976#M130229 <P>i tried updating to be above code.however it does not seem to give me the correct value .The existing values are not returning after the change .</P> <P>index=MY_INDEX JOB=JOBNAME earliest= -30d@d latest= now()<BR /> |dedup JOB,STATUS<BR /> | eval startTime= case("0"!=(strftime(_time, "%a %B %d %Y %H:%M:%S")) AND STATUS="RUNNING",strftime(_time, "%a %B %d %Y %H:%M:%S")),endTime= case("0"!=(strftime(_time, "%a %B %d %Y %H:%M:%S")) AND STATUS="SUCCESS",strftime(_time, "%a %B %d %Y %H:%M:%S")), terminateTime= case("0"!=(strftime(_time, "%a %B %d %Y %H:%M:%S")) AND STATUS="TERMINATED",strftime(_time, "%a %B %d %Y %H:%M:%S")) <BR /> | eval sTime=strptime(startTime,"%a %B %d %Y %H:%M:%S") <BR /> | eval eTime=strptime(endTime,"%a %B %d %Y %H:%M:%S") <BR /> | eval tTime=strptime(startTime,"%a %B %d %Y %H:%M:%S") <BR /> | eventstats latest(STATUS) AS STATUS BY JOB <BR /> | transaction JOB,startTime,endTime <BR /> | eval e_Time=if(STATUS="TERMINATED" OR eTime</P> Wed, 30 Sep 2020 04:07:56 GMT https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461976#M130229 thomaap 2020-09-30T04:07:56Z https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461977#M130230 <P>That's the nature of <CODE>stats</CODE>, which seemed fine since your question asked about calculating average and said nothing about preserving other values.</P> Thu, 06 Feb 2020 15:53:09 GMT https://community.splunk.com/t5/Splunk-Search/calculate-average-of-last-30-days/m-p/461977#M130230 richgalloway 2020-02-06T15:53:09Z