https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233965#M69535 <P>My data is similar to this line:</P> <PRE><CODE>05112015ZK00S09MAIN 05112015ZK00S14MAIN 05112015ZK00E65MAIN 05102015ZK00E22MAIN 05102015ZK00S01MAIN </CODE></PRE> <P>Where the "S" or "E" stands for Status.<BR /> So I should get the average of events with Success, the average of Errors.<BR /> They were both extracted positional regex as "Status"<BR /> How can I get the average of'em ?</P> Thu, 12 Nov 2015 17:41:26 GMT vtsguerrero 2015-11-12T17:41:26Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233962#M69532 <P>I have a simple search like</P> <PRE><CODE>index=main sourcetype=performance Status=* | eval Status = if(Status=="S","Success","Error") </CODE></PRE> <P>Then I should have a count for each status, example 50 Success and 20 Errors.<BR /> Then get the average of those two counts, and finally compare this average to last event so I can get the average difference to the last event.<BR /> How can achieve this?</P> <P>Thanks in advance!</P> Thu, 12 Nov 2015 17:07:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233962#M69532 vtsguerrero 2015-11-12T17:07:41Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233963#M69533 <P>I do not understand. Show sample events and mockup of desired final data.</P> Thu, 12 Nov 2015 17:26:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233963#M69533 woodcock 2015-11-12T17:26:35Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233964#M69534 <P>Are these individual events single-line events with only one value for Status each, that then are written out in big groups of events, where each group for you constitutes some "event" in the real world? <BR /> Or are these events large multiline events with multiple values of Status in each? </P> Thu, 12 Nov 2015 17:34:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233964#M69534 sideview 2015-11-12T17:34:26Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233965#M69535 <P>My data is similar to this line:</P> <PRE><CODE>05112015ZK00S09MAIN 05112015ZK00S14MAIN 05112015ZK00E65MAIN 05102015ZK00E22MAIN 05102015ZK00S01MAIN </CODE></PRE> <P>Where the "S" or "E" stands for Status.<BR /> So I should get the average of events with Success, the average of Errors.<BR /> They were both extracted positional regex as "Status"<BR /> How can I get the average of'em ?</P> Thu, 12 Nov 2015 17:41:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233965#M69535 vtsguerrero 2015-11-12T17:41:26Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233966#M69536 <P>The basic answer is very easy; like this:</P> <PRE><CODE> index=main sourcetype=performance Status=* | eval Status = if(Status=="S","Success","Error") | stats count BY Status </CODE></PRE> <P>The problem is the "compare to last event" part, which doesn't make sense to me.</P> Thu, 12 Nov 2015 17:46:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233966#M69536 woodcock 2015-11-12T17:46:37Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233967#M69537 <P>I'm sorry but this question doesn't make any sense so I think you're just asking it in a confusing way. "the average of events with Success, the average of Errors" makes very little sense. </P> <P>Do you want to end up with a single overall average success rate like 37%?<BR /><BR /> If so then <BR /> <CODE>index=main sourcetype=performance Status=* | eval foo=1 | chart count over foo by Status | eval ratio=100*<BR /> (S/E) | eval ratio=ratio + "%"</CODE> will do the trick. </P> <P>But this wouldn't incorporate your other requirement, "compare this average to last event so I can get the average difference to the last event" which still doesn't make sense. </P> Thu, 12 Nov 2015 18:04:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233967#M69537 sideview 2015-11-12T18:04:52Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233968#M69538 <P>I agree; you gave us the 1st part (sample events) but not the 2nd part (mockup of final desire).</P> Thu, 12 Nov 2015 18:11:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233968#M69538 woodcock 2015-11-12T18:11:11Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233969#M69539 <P>This pretty much solves the problem, just need to get the average of errors and success now...</P> Thu, 12 Nov 2015 18:11:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233969#M69539 vtsguerrero 2015-11-12T18:11:52Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233970#M69540 <P>Well, this person asked us to get a deviation of average status error / success, I'm not acctually sure if this is possible. He wants a red/yellow/green light indicator to show if the deviation is higher less then 30%, less then 50% or higher then 50% deviation</P> Thu, 12 Nov 2015 18:14:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-average-of-two-fields-and-compare-with-last-event/m-p/233970#M69540 vtsguerrero 2015-11-12T18:14:26Z