Reporting

How to get the average by two variables through a single accelerated report?

New Member

Hi,

I need to calculate an average by two fields. Each event has the below values:

time variable1 variable2 countofevents

Example:

``````2016-04-23 14:30:00 Apple vendor1 3
2016-04-23 14:31:00 Apple vendor2 6
2016-04-23 14:30:00 Mango vendor1 8
2016-04-23 14:30:00 Apple vendor3 7
``````

I need to find:
1) averages of countofevents by variable1
2) averages of countofevents by variable2

Can that be done using single report acceleration?

I tried doing:

``````index =x | stats avg(countofevents) by _time, variable1, variable2
``````

Then 2 other searches which use report acceleration:

I tried doing:

``````index =x | stats avg(countofevents) as avg1 by _time, variable1, variable2 | stats avg(avg1) by _time, variable1
``````

and

``````index =x | stats avg(countofevents) as avg1 by _time, variable1, variable2 | stats avg(avg1) by _time, variable2
``````

The above didn't work because it is trying to do avg on average values again.

Is there any way I can get the required data by using single report acceleration instead of two?

Thanks
sravya

Tags (3)
1 Solution
Legend

The following might work,but I don't know if it can be accelerated:

``````index = x
| appendpipe [ stats avg(countofevents) as avg1 by variable1 | rename variable1 as "Var1 Heading" ]
| appendpipe [ stats avg(countofevents) as avg2 by variable2 | rename variable2 as "Var2 Heading" ]
``````
Legend

The following might work,but I don't know if it can be accelerated:

``````index = x
| appendpipe [ stats avg(countofevents) as avg1 by variable1 | rename variable1 as "Var1 Heading" ]
| appendpipe [ stats avg(countofevents) as avg2 by variable2 | rename variable2 as "Var2 Heading" ]
``````
New Member

Thanks lguinn. it can be accelerated..

Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...