https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111536#M29224 <P>There is indeed no difference between the two, however I've noticed that Splunk only spits out results for one of them when they are averaging the same field. (Which makes sense, since why do twice the work for the same result). For example this search:</P> <PRE><CODE>|noop | stats count | fields | eval value=mvrange(1,10) | mvexpand value | eval val2 = value | stats avg(val2) mean(value) </CODE></PRE> <P>Spits our values for both but this search:</P> <PRE><CODE>|noop | stats count | fields | eval value=mvrange(1,10) | mvexpand value | stats avg(value) mean(value) </CODE></PRE> <P>Spits out a value for only one of them</P> Thu, 09 Jul 2015 13:54:26 GMT acharlieh 2015-07-09T13:54:26Z https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111535#M29223 <P>Hi,</P> <P>as I can see in the Splunk docs, using | stats avg() and mean() shoud both give me the same results (arithmetic mean).</P> <P>In my query I search for both of avg and mean. But I am only getting results for mean, not for average.<BR /> My search query is like this |index=x searchtype=x| stats avg() mean() </P> <P>Why are there no results for average? Does average only work if Splunk automatically aggregates values for example to create the average of 5 min chunks? And mean takes all values and divides it by the total count?</P> <P>Thank you!</P> <P>Silvia </P> Thu, 09 Jul 2015 13:21:05 GMT https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111535#M29223 SilviaGebel 2015-07-09T13:21:05Z https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111536#M29224 <P>There is indeed no difference between the two, however I've noticed that Splunk only spits out results for one of them when they are averaging the same field. (Which makes sense, since why do twice the work for the same result). For example this search:</P> <PRE><CODE>|noop | stats count | fields | eval value=mvrange(1,10) | mvexpand value | eval val2 = value | stats avg(val2) mean(value) </CODE></PRE> <P>Spits our values for both but this search:</P> <PRE><CODE>|noop | stats count | fields | eval value=mvrange(1,10) | mvexpand value | stats avg(value) mean(value) </CODE></PRE> <P>Spits out a value for only one of them</P> Thu, 09 Jul 2015 13:54:26 GMT https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111536#M29224 acharlieh 2015-07-09T13:54:26Z https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111537#M29225 <P>Is that your actual search? If so, the problem is that you need to tell Splunk what <CODE>field</CODE> to average by putting something inside the parentheses like this:</P> <PRE><CODE>index=x sourcetype=x| stats avg(x) mean(x) </CODE></PRE> <P>I have NEVER seen avg not work and I use it almost every day! If you are putting a <CODE>field</CODE> inside <CODE>avg()</CODE> then the answer is that the field you are telling Splunk to <CODE>avg</CODE> does not have any values for the search you are using.</P> Thu, 09 Jul 2015 13:55:51 GMT https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111537#M29225 woodcock 2015-07-09T13:55:51Z https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111538#M29226 <P>Oh - thank you. That makes sense. </P> Thu, 09 Jul 2015 14:10:53 GMT https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111538#M29226 SilviaGebel 2015-07-09T14:10:53Z https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111539#M29227 <P>This isn't the problem. <CODE>| stats avg</CODE> is the same as <CODE>| stats avg(*)</CODE> which is spit out averages of all numeric fields. Example search:</P> <PRE><CODE>|noop | stats count | fields | eval value=mvrange(1,10) | mvexpand value | eval val2=value | stats avg </CODE></PRE> Thu, 09 Jul 2015 14:13:59 GMT https://community.splunk.com/t5/Splunk-Search/Difference-average-and-mean/m-p/111539#M29227 acharlieh 2015-07-09T14:13:59Z