topic Re: How do you compute the average number of emails contained in two different sources? in Splunk Search

How do you compute the average number of emails contained in two different sources?

maryamchar — Mon, 29 Oct 2018 17:36:43 GMT

I have two different sourcetypes with same index name. Both sources they have emails and it shows the number of those emails. I would like to aggregate both sources and find the average of emails from both sources, represent that on graph.

source="source1" source="source2" index=testing |stats avg(Emails) by companyName

I'm using Splunk Enterprise(Search and Reporting) -> making dashboards. Thank you in advance.

Re: How do you compute the average number of emails contained in two different sources?

kmaron — Mon, 29 Oct 2018 17:56:13 GMT

You switch from saying sourcetype to saying source. These are two different things. Since the partial SPL you provided says source I'm going to run with that. You can always replace source with sourcetype and it will still work.

This would get you the average number of emails per company name and source

index=testing (source="source1" OR source="source2") 
| stats avg(Emails) as Average by companyName source

You can then choose your visualization to determine the type of graph you want.

Re: How do you compute the average number of emails contained in two different sources?

maryamchar — Mon, 29 Oct 2018 18:07:11 GMT

sorry i meant source. The above gave me the result of an average of one source and not combined. I want the average of both sources combined for emails by company.

Re: How do you compute the average number of emails contained in two different sources?

kmaron — Mon, 29 Oct 2018 20:02:18 GMT

You just need to remove source.

  index=testing (source="source1" OR source="source2") 
  | stats avg(Emails) as Average by companyName

Re: How do you compute the average number of emails contained in two different sources?

maryamchar — Tue, 30 Oct 2018 14:33:34 GMT

Thank you!