https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247663#M176474 <P>use <CODE>|streamstats</CODE> </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats">https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats</A></P> <P>it's great for rolling averages. you can do multiple streamstats, one for the 30, 60, and 90 day windows. </P> Fri, 14 Oct 2016 12:48:24 GMT cmerriman 2016-10-14T12:48:24Z https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247662#M176473 <P>I am having alot of trouble setting up rolling averages in Splunk. I would love to be able to overlay a 30, 60, 90 day trend line over my current trend line. this seems like a pretty standard function in analysis so I am sure im over looking some simple function? Is there documentation or guidance on how to set up rolling averages?</P> Fri, 14 Oct 2016 12:42:12 GMT https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247662#M176473 justx001 2016-10-14T12:42:12Z https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247663#M176474 <P>use <CODE>|streamstats</CODE> </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats">https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats</A></P> <P>it's great for rolling averages. you can do multiple streamstats, one for the 30, 60, and 90 day windows. </P> Fri, 14 Oct 2016 12:48:24 GMT https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247663#M176474 cmerriman 2016-10-14T12:48:24Z https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247664#M176475 <P>You'll want to use streamstats to accomplish this</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats">https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats</A></P> <P>Try something like this</P> <P><CODE>&lt;your base search&gt; | timechart count span=30d | streamstats window=20 avg(count) as avgCount | fields _time avgCount [search &lt;your base search&gt; | timechart count span=60d | streamstats window=20 avg(count) as avgCount | fields _time avgCount]</CODE></P> Fri, 14 Oct 2016 13:05:34 GMT https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247664#M176475 skoelpin 2016-10-14T13:05:34Z https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247665#M176476 <P>Thank you very much for the quick reply, the reference and the example</P> Fri, 14 Oct 2016 13:35:56 GMT https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247665#M176476 justx001 2016-10-14T13:35:56Z https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247666#M176477 <P>As an addendum to this fabulous answer, @justx001 you might want to check out the trendline command as well, it has weighted and exponential moving averages as well.</P> <P><CODE><BR /> | ... base search <BR /> | timechart count span=1d<BR /> | trendline sma10(count) as ten_day_simple_moving_average, wma30(count) as month_weighted_moving_average, ema7(count) as week_exponential_moving_average<BR /> </CODE></P> Fri, 14 Oct 2016 18:44:47 GMT https://community.splunk.com/t5/Splunk-Search/Rolling-Averages/m-p/247666#M176477 aljohnson_splun 2016-10-14T18:44:47Z