https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-that-finds-the-average-of-the-last-three/m-p/592540#M206236 <P>I have an search where I need to find the average of the last three bins. Example: On my time filter I select an range of 10:00 - 10:30. I need to find the average of ONLY the first three bins 581, 698, and 247. How can I create a search that does this?</P> <P>On this dashboard I use an time picker so the search would need to be dynamic, as there would be new time inputs.</P> <TABLE border="0" width="128" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD width="64" height="19">_time</TD> <TD width="64">Count</TD> </TR> <TR> <TD height="19">10:00</TD> <TD>581</TD> </TR> <TR> <TD height="19">10:05</TD> <TD>698</TD> </TR> <TR> <TD height="19">10:10</TD> <TD>247</TD> </TR> <TR> <TD height="19">10:15</TD> <TD>987</TD> </TR> <TR> <TD height="19">10:20</TD> <TD>365</TD> </TR> <TR> <TD height="19">10:30</TD> <TD>875</TD> </TR> </TBODY> </TABLE> Tue, 05 Apr 2022 21:55:29 GMT kishan2356 2022-04-05T21:55:29Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-that-finds-the-average-of-the-last-three/m-p/592540#M206236 <P>I have an search where I need to find the average of the last three bins. Example: On my time filter I select an range of 10:00 - 10:30. I need to find the average of ONLY the first three bins 581, 698, and 247. How can I create a search that does this?</P> <P>On this dashboard I use an time picker so the search would need to be dynamic, as there would be new time inputs.</P> <TABLE border="0" width="128" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD width="64" height="19">_time</TD> <TD width="64">Count</TD> </TR> <TR> <TD height="19">10:00</TD> <TD>581</TD> </TR> <TR> <TD height="19">10:05</TD> <TD>698</TD> </TR> <TR> <TD height="19">10:10</TD> <TD>247</TD> </TR> <TR> <TD height="19">10:15</TD> <TD>987</TD> </TR> <TR> <TD height="19">10:20</TD> <TD>365</TD> </TR> <TR> <TD height="19">10:30</TD> <TD>875</TD> </TR> </TBODY> </TABLE> Tue, 05 Apr 2022 21:55:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-that-finds-the-average-of-the-last-three/m-p/592540#M206236 kishan2356 2022-04-05T21:55:29Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-that-finds-the-average-of-the-last-three/m-p/592542#M206238 <P>How do you want to display that, as a single value somewhere or in the same table as your example. There are several ways to calculate that. Note that you mention both first and last - but imply earliest in your numbers.</P><P>Note that you can always make a base search if you have data in one dashboard panel that is used by another and add whatever you need to a post processing search for the average.</P><P>If you simply want the average of the 3 as a value somewhere, take the last two lines of this.</P><LI-CODE lang="markup">| makeresults | eval _raw="_time Count 10:00 581 10:05 698 10:10 247 10:15 987 10:20 365 10:30 875" | multikv forceheader=1 | eval _time=strptime(time, "%H:%M") | table _time Count | head 3 | stats avg(Count) as Count</LI-CODE><P>or as a rolling average of the 3 bins, use this instead of the last two lines above</P><LI-CODE lang="markup">| streamstats window=3 avg(Count) as AvgCount</LI-CODE><P>If that doesn't help, please clarify how you want to use this value</P> Tue, 05 Apr 2022 23:31:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-that-finds-the-average-of-the-last-three/m-p/592542#M206238 bowesmana 2022-04-05T23:31:07Z