https://community.splunk.com/t5/Splunk-Search/Find-average-when-using-group-by/m-p/492569#M137400 <P>Thanks. I just removed by channel and it worked. I was just overthinking.</P> Thu, 03 Oct 2019 20:10:28 GMT balash1979 2019-10-03T20:10:28Z https://community.splunk.com/t5/Splunk-Search/Find-average-when-using-group-by/m-p/492567#M137398 <P>Here is my query </P> <PRE><CODE>index="search_index" search processing_service | eval time_in_mins=('metric_value')/60 | stats avg(time_in_mins) by channel </CODE></PRE> <P>By running this query, i get the following results <BR /> channel1 5.25<BR /> channel2 6.25<BR /> channel3 10.25</P> <P>Basically, i get output of all the channels and their averages. how can I get only 1 value with the average of all the channel averages ? <BR /> I would like an output of my query as </P> <P>Avg_of_all_channels 7.25</P> Wed, 30 Sep 2020 02:22:50 GMT https://community.splunk.com/t5/Splunk-Search/Find-average-when-using-group-by/m-p/492567#M137398 balash1979 2020-09-30T02:22:50Z https://community.splunk.com/t5/Splunk-Search/Find-average-when-using-group-by/m-p/492568#M137399 <P>@balash1979,</P> <P>What do you get after removing the <CODE>by channel</CODE> from the search ? </P> Thu, 03 Oct 2019 14:33:42 GMT https://community.splunk.com/t5/Splunk-Search/Find-average-when-using-group-by/m-p/492568#M137399 renjith_nair 2019-10-03T14:33:42Z https://community.splunk.com/t5/Splunk-Search/Find-average-when-using-group-by/m-p/492569#M137400 <P>Thanks. I just removed by channel and it worked. I was just overthinking.</P> Thu, 03 Oct 2019 20:10:28 GMT https://community.splunk.com/t5/Splunk-Search/Find-average-when-using-group-by/m-p/492569#M137400 balash1979 2019-10-03T20:10:28Z https://community.splunk.com/t5/Splunk-Search/Find-average-when-using-group-by/m-p/492570#M137401 <P>as @renjith.nair stated in the comments, I believe what you're after is simply</P> <PRE><CODE>index="search_index" search processing_service | eval time_in_mins=('metric_value')/60 | stats avg(time_in_mins) as all_channel_avg </CODE></PRE> <P>which would just output one column named all_channel_avg and one row with the avg.</P> <P>if you'd like both the individual channel avg AND the total avg, possibly something like:</P> <PRE><CODE>index="search_index" search processing_service | eval time_in_mins=('metric_value')/60 |eventstats avg(time_in_mins) as total_avg| stats values(total_avg) as all_channel_avg avg(time_in_mins) as channel_avg by channel </CODE></PRE> <P>however, you might want to do a count and sum in the stats command and then the eventstats and some eval in order to not run eventstats before stats. </P> <PRE><CODE>index="search_index" search processing_service | eval time_in_mins=('metric_value')/60| stats avg(time_in_mins) as channel_avg sum(time_in_mins) as total_mins count as total_count by channel|eventstats sum(total_mins) as total_mins sum(total_count) as total_count|eval all_channel_avg=total_mins/total_count </CODE></PRE> <P>again, that might actually need some work, as i'm currently really thinking that the math might not be right....</P> Wed, 30 Sep 2020 02:28:36 GMT https://community.splunk.com/t5/Splunk-Search/Find-average-when-using-group-by/m-p/492570#M137401 cmerriman 2020-09-30T02:28:36Z