https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665945#M228468 <P>Hello,<BR /><BR />I tried the command you suggested and it did not show any effects<BR />Please suggest.<BR /><BR />Thanks</P> Tue, 24 Oct 2023 00:11:44 GMT LearningGuy 2023-10-24T00:11:44Z https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665858#M228457 <P><BR />How to create total average/median/max of field in a separate table?<BR />Thank you in advance<BR /><BR />| index=testindex<BR />| table company, ip, Vulnerability, Score</P><TABLE width="434"><TBODY><TR><TD width="83"><STRONG>company</STRONG></TD><TD width="150"><STRONG>ip</STRONG></TD><TD width="110"><STRONG>Vulnerability</STRONG></TD><TD width="91"><STRONG>Score</STRONG></TD></TR><TR><TD>CompanyA</TD><TD>ip1</TD><TD>Vuln1</TD><TD>2</TD></TR><TR><TD>CompanyA</TD><TD>ip1</TD><TD>Vuln2</TD><TD>0</TD></TR><TR><TD>CompanyA</TD><TD>ip2</TD><TD>Vuln3</TD><TD>4</TD></TR><TR><TD>CompanyA</TD><TD>ip2</TD><TD>Vuln4</TD><TD>2</TD></TR><TR><TD>CompanyA</TD><TD>ip3</TD><TD>Vuln5</TD><TD>3</TD></TR><TR><TD>CompanyA</TD><TD>ip3</TD><TD>Vuln6</TD><TD>5</TD></TR></TBODY></TABLE><P><BR /><STRONG>Group by IP&nbsp;&nbsp;</STRONG>=&gt; This worked just fine<BR />| stats values(company), avg(Score) as AvgScore by ip</P><TABLE width="343"><TBODY><TR><TD width="83"><STRONG>company</STRONG></TD><TD width="150"><STRONG>ip</STRONG></TD><TD width="110"><STRONG>AvgScore</STRONG></TD></TR><TR><TD>CompanyA</TD><TD>ip1</TD><TD>1</TD></TR><TR><TD>CompanyA</TD><TD>ip2</TD><TD>3</TD></TR><TR><TD>CompanyA</TD><TD>ip3</TD><TD>4</TD></TR></TBODY></TABLE><P><BR /><STRONG>Group by Company&nbsp; &nbsp;</STRONG>=&gt;&nbsp; how do I <U><STRONG>group by company</STRONG></U> after <U><STRONG>group by ip</STRONG>&nbsp;(using stats)&nbsp;</U>and put it on a separate table?<BR />| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company</P><TABLE width="434"><TBODY><TR><TD width="90.1562px" height="25px"><STRONG>Company</STRONG></TD><TD width="147.578px" height="25px"><STRONG>Average</STRONG></TD><TD width="107.234px" height="25px"><STRONG>Median</STRONG></TD><TD width="88.0312px" height="25px"><STRONG>Max</STRONG></TD></TR><TR><TD width="90.1562px" height="25px">CompanyA</TD><TD width="147.578px" height="25px">2.7</TD><TD width="107.234px" height="25px">3</TD><TD width="88.0312px" height="25px">4</TD></TR></TBODY></TABLE> Mon, 23 Oct 2023 14:06:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665858#M228457 LearningGuy 2023-10-23T14:06:45Z https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665866#M228461 <P>A separate table requires a separate search.</P><P>If this is in a dashboard then consider making the first table a base search and the second table a post-processing of the first.&nbsp; That will save you time and resources when the dashboard runs.</P><LI-CODE lang="markup">... &lt;search id="base"&gt; &lt;!-- "base" can be any string --&gt; &lt;query&gt;| index=testindex | table company, ip, Vulnerability, Score | stats values(company), avg(Score) as AvgScore by ip&lt;/query&gt; ... &lt;/search&gt; ... &lt;search base="base"&gt; &lt;!-- Use the same string as above --&gt; &lt;query&gt;| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company&lt;/query&gt; &lt;/search&gt; ...</LI-CODE> Mon, 23 Oct 2023 15:03:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665866#M228461 richgalloway 2023-10-23T15:03:59Z https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665903#M228465 <P>Hello,<BR />I tried your suggestion and it worked fine. I am accepting this as a solution<BR />Can you also suggest how to put the average, median and max on the bottom of the table?<BR />Thank you again<BR />Below is the example:&nbsp;&nbsp;</P><TABLE width="343"><TBODY><TR><TD width="90.1562px" height="25px"><STRONG>company</STRONG></TD><TD width="143.906px" height="25px"><STRONG>ip</STRONG></TD><TD width="107.938px" height="25px"><STRONG>AvgScore</STRONG></TD></TR><TR><TD width="90.1562px" height="25px">CompanyA</TD><TD width="143.906px" height="25px">ip1</TD><TD width="107.938px" height="25px">1</TD></TR><TR><TD width="90.1562px" height="25px">CompanyA</TD><TD width="143.906px" height="25px">ip2</TD><TD width="107.938px" height="25px">3</TD></TR><TR><TD width="90.1562px" height="25px">CompanyA</TD><TD width="143.906px" height="25px">ip3</TD><TD width="107.938px" height="25px">4</TD></TR><TR><TD width="90.1562px" height="25px">&nbsp;</TD><TD width="143.906px" height="25px">Average</TD><TD width="107.938px" height="25px">2.7</TD></TR><TR><TD width="90.1562px" height="25px">&nbsp;</TD><TD width="143.906px" height="25px">Median</TD><TD width="107.938px" height="25px">3</TD></TR><TR><TD width="90.1562px" height="25px">&nbsp;</TD><TD width="143.906px" height="25px">Max</TD><TD width="107.938px" height="25px">4</TD></TR></TBODY></TABLE><P><BR /><BR /><BR /></P> Mon, 23 Oct 2023 18:26:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665903#M228465 LearningGuy 2023-10-23T18:26:41Z https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665917#M228466 <P>I think you can do that with the <FONT face="courier new,courier">appendpipe</FONT> command, which processes the current results and adds new results to bottom.</P><P>&nbsp;</P><LI-CODE lang="markup">| stats values(company), avg(Score) as AvgScore by ip | appendpipe [ stats avg(AvgScore) as Average, median(AvgScore) as Median, max(AvgScore) as Max by company ]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 24 Oct 2023 00:24:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665917#M228466 richgalloway 2023-10-24T00:24:12Z https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665945#M228468 <P>Hello,<BR /><BR />I tried the command you suggested and it did not show any effects<BR />Please suggest.<BR /><BR />Thanks</P> Tue, 24 Oct 2023 00:11:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665945#M228468 LearningGuy 2023-10-24T00:11:44Z https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665946#M228469 <P>I used the wrong case in the field name.&nbsp; Try my edited answer.</P> Tue, 24 Oct 2023 00:24:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665946#M228469 richgalloway 2023-10-24T00:24:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665948#M228470 <P>Hello,<BR />There would be no difference because I converted your suggestion to my real data, so I already fixed any details<BR />Please suggest.<BR /><BR />Thanks,<BR /><BR />Marius</P> Tue, 24 Oct 2023 01:31:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-total-average-median-max-of-field-in-a-separate/m-p/665948#M228470 LearningGuy 2023-10-24T01:31:42Z