Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

Getting Data In

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Mean for Failed Logons to Windows

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

hagjos43

Contributor

โ11-06-2013
11:05 AM

I'm trying to grab the number value of all failed logons on windows logs (eventually will be failed logons per account aka user).

I'm trying to run the mean on the following query:

```
index=xyz ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539") (Logon_Type=*) | stats mean(user)
```

This returns no value. If I change it to

stats mean(EventCode)

It returns a number that is incorrect. This number corresponds to the mean of the EventCode numbers. Perhaps I simply can't wrap my head around the situation, but any help would be greatly appreciated!

1 Solution

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

lguinn2

Legend

โ11-06-2013
11:09 AM

Try this:

```
index=xyz ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539") (Logon_Type=*)
| stats count by user
| stats mean(count) as MeanCountOfUserEvents
```

The `mean`

function calculates the average of the field that you name. So `mean(EventCode)`

will return the mean of the numeric event codes - and Splunk can't even calculate `mean(user)`

because none of the values for `user`

are numeric. My example counts the number of events for each user, and then takes the mean of that count.

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

lguinn2

Legend

โ11-06-2013
11:09 AM

Try this:

```
index=xyz ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539") (Logon_Type=*)
| stats count by user
| stats mean(count) as MeanCountOfUserEvents
```

The `mean`

function calculates the average of the field that you name. So `mean(EventCode)`

will return the mean of the numeric event codes - and Splunk can't even calculate `mean(user)`

because none of the values for `user`

are numeric. My example counts the number of events for each user, and then takes the mean of that count.

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

lguinn2

Legend

โ11-07-2013
09:40 AM

I don't understand how you are using the term "mean" - in English, the statistic called "mean" is also called "average." The mean is calculated for a series of numbers by first summing the numbers and then dividing the total by the count of the numbers.

The mean is not a "standard deviation" - for a standard deviation, use the `stdev`

function instead.

Finally, this will work for your count by user

`yoursearchhere `

| stats count by user

The `mean`

doesn't make sense here, as you have only one value per user

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

hagjos43

Contributor

โ11-07-2013
05:59 AM

Looks like I figured it out on my own.....

stats mean(count) as Standard*Deveation*Of*Successful*Logons by user

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

hagjos43

Contributor

โ11-07-2013
05:54 AM

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Ayn

Legend

โ11-06-2013
11:09 AM

`stats count`

at the end of the search, instead of `stats mean(...)`

. If I misunderstood your intentions, please describe them in more detail.