Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reporting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- How to get the average by two variables through a ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sravyav
New Member
04-20-2016
12:08 PM
Hi,
I need to calculate an average by two fields. Each event has the below values:
time variable1 variable2 countofevents
Example:
2016-04-23 14:30:00 Apple vendor1 3
2016-04-23 14:31:00 Apple vendor2 6
2016-04-23 14:30:00 Mango vendor1 8
2016-04-23 14:30:00 Apple vendor3 7
I need to find:
1) averages of countofevents by variable1
2) averages of countofevents by variable2
Can that be done using single report acceleration?
I tried doing:
index =x | stats avg(countofevents) by _time, variable1, variable2
Then 2 other searches which use report acceleration:
I tried doing:
index =x | stats avg(countofevents) as avg1 by _time, variable1, variable2 | stats avg(avg1) by _time, variable1
and
index =x | stats avg(countofevents) as avg1 by _time, variable1, variable2 | stats avg(avg1) by _time, variable2
The above didn't work because it is trying to do avg on average values again.
Is there any way I can get the required data by using single report acceleration instead of two?
Thanks
sravya
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
04-20-2016
12:35 PM
The following might work,but I don't know if it can be accelerated:
index = x
| appendpipe [ stats avg(countofevents) as avg1 by variable1 | rename variable1 as "Var1 Heading" ]
| appendpipe [ stats avg(countofevents) as avg2 by variable2 | rename variable2 as "Var2 Heading" ]
| table "Var1 Heading" avg1 "Var2 Heading" avg2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
04-20-2016
12:35 PM
The following might work,but I don't know if it can be accelerated:
index = x
| appendpipe [ stats avg(countofevents) as avg1 by variable1 | rename variable1 as "Var1 Heading" ]
| appendpipe [ stats avg(countofevents) as avg2 by variable2 | rename variable2 as "Var2 Heading" ]
| table "Var1 Heading" avg1 "Var2 Heading" avg2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sravyav
New Member
04-21-2016
01:40 PM
Thanks lguinn. it can be accelerated..
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Community Content Calendar, September edition
Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...
Splunkbase Unveils New App Listing Management Public Preview
Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...
