Solved: Re: Average with filter

Lucie99 · ‎08-10-2020

Hi everyone,

I don't know how to do the average of the "Moy" for all Debit = 5 and per month with DateJour and after this exactly the same but with Debit =25.

Has somebody an idea ?

I tried many instructions but don't work ..

Thank you in advance

isoutamo · ‎08-10-2020

Hi

Please try:

<base search>
| bin span=1mon DateJour
| stats avg(Moy) as avgMoy by DateJour, Depit

I'm expecting that DateJour is containing time as epoch? If not then you must convert it first to epoch or use _time (instead of DateJour) which already is in correct format.

r. Ismo

View solution in original post

isoutamo · ‎08-10-2020

Hi

Please try:

<base search>
| bin span=1mon DateJour
| stats avg(Moy) as avgMoy by DateJour, Depit

I'm expecting that DateJour is containing time as epoch? If not then you must convert it first to epoch or use _time (instead of DateJour) which already is in correct format.

r. Ismo

Lucie99 · ‎08-11-2020

Hi thanks for helping me. This instruction that is very simiral to yours works, but it gives me the average of all debits (5 and 25) ! How can I do separately the average for debit = 5 and the 2nd average for debit = 25 ?

| stats avg(Moy) as AvgMoy by _time, Debit (I used this)

Thank you

isoutamo · ‎08-11-2020

Hi

I'm not sure if I understood your question, but if you want those avgs one by one with separate queries then this helps.

<base query> Debit=5
| bin span=1mon _time
| stats avg(Moy) as AvgMoy by _time, Debit

And then the second query with debit=25. And if you couldn't add that on the index=.... then you can catch those lines with

| where debit = 5

later on, but before that stats on your query.

If you are meaning something else then please explain that little bite more.

r. Ismo

Average with filter

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms