https://community.splunk.com/t5/Splunk-Search/how-to-do-search-median/m-p/367864#M160658 <P>Hi</P> <P>Ihave a question </P> <P>this is input </P> <PRE><CODE>date item field_1 field_2 field_3 2016/01/01 x 1 2 3 2016/01/01 y 4 5 6 </CODE></PRE> <P>this I want the output</P> <PRE><CODE> date item median_field 2016/01/01 x 2 2016/01/01 y 5 </CODE></PRE> <P>Thanks</P> Wed, 21 Jun 2017 16:42:22 GMT thomas22966710 2017-06-21T16:42:22Z https://community.splunk.com/t5/Splunk-Search/how-to-do-search-median/m-p/367864#M160658 <P>Hi</P> <P>Ihave a question </P> <P>this is input </P> <PRE><CODE>date item field_1 field_2 field_3 2016/01/01 x 1 2 3 2016/01/01 y 4 5 6 </CODE></PRE> <P>this I want the output</P> <PRE><CODE> date item median_field 2016/01/01 x 2 2016/01/01 y 5 </CODE></PRE> <P>Thanks</P> Wed, 21 Jun 2017 16:42:22 GMT https://community.splunk.com/t5/Splunk-Search/how-to-do-search-median/m-p/367864#M160658 thomas22966710 2017-06-21T16:42:22Z https://community.splunk.com/t5/Splunk-Search/how-to-do-search-median/m-p/367865#M160659 <P>Here's a run-anywhere example.</P> <PRE><CODE>| makeresults | eval mydata="2016/01/02,x,1,2,3 2016/01/02,y,6,4,5" | makemv mydata | mvexpand mydata | makemv delim="," mydata | eval _time = strptime(mvindex(mydata,0),"%Y/%m/%d") | eval item = mvindex(mydata,1) | eval field1 = mvindex(mydata,2) | eval field2 = mvindex(mydata,3) | eval field3 = mvindex(mydata,4) | table _time item field1 field2 field3 | rename COMMENT as "The above just generates test data" | rename COMMENT as "We put together all the key fields we want to keep, in a single field." | eval mykeystuff = _time."!!!!".item | rename COMMENT as "We keep our key field, and all the numeric fields we want the median from." | table mykeystuff field* | rename COMMENT as "We untable to put the field names into field, and the field values into value, then calculate our median, ignoring the field names" | untable mykeystuff field value | stats median(value) as mymedian by mykeystuff | rename COMMENT as "Now we unpack our key fields again" | makemv delim="!!!!" mykeystuff | eval _time = mvindex(mykeystuff,0) | eval item = mvindex(mykeystuff,1) | rename COMMENT as "And kill the combined key field, now that it's done its duty" | table _time item mymedian </CODE></PRE> <HR /> <P>updated to use delim="!!!!" in case the item names have any spaces in them.</P> Wed, 21 Jun 2017 17:49:13 GMT https://community.splunk.com/t5/Splunk-Search/how-to-do-search-median/m-p/367865#M160659 DalJeanis 2017-06-21T17:49:13Z https://community.splunk.com/t5/Splunk-Search/how-to-do-search-median/m-p/367866#M160660 <P>... | stats median(field_*) as median by date item </P> Wed, 21 Jun 2017 22:33:13 GMT https://community.splunk.com/t5/Splunk-Search/how-to-do-search-median/m-p/367866#M160660 jkat54 2017-06-21T22:33:13Z https://community.splunk.com/t5/Splunk-Search/how-to-do-search-median/m-p/367867#M160661 <P>Nice. Assuming that the field names match a mask, that's much more succinct, and it has the feature that it will correctly calculate the median if there are multiple records for a time and item combination.</P> Thu, 22 Jun 2017 03:46:42 GMT https://community.splunk.com/t5/Splunk-Search/how-to-do-search-median/m-p/367867#M160661 DalJeanis 2017-06-22T03:46:42Z