Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

A Chart with Total values and then an average Value

malcolmtkelly
Explorer
‎08-22-2013 02:14 AM

So I have a some data that I've put into a chart. For the purposes of this question lets say the data is in the form "Username Purchases"

userA 400
userB 800
userA 150
userZ 900
userA 350
userB 700

How do I create a chart that charts total number of purchases for each user and then a average value across all users as the final column?

So far I have:

sourcetype=data | chart sum(purchases) by username

But I don't know how to average out and insert that last average value.

Tags (2)
0 Karma
Reply

HiroshiSatoh
Champion
‎08-22-2013 06:23 PM

But what if I use the APPEND?

sourcetype=data | chart avg(purchases) by username | append [search sourcetype=data |eval username="allUserAverage" |chart avg(purchases) by username ]

0 Karma
Reply

timmalos
Communicator
‎08-22-2013 05:41 AM

Try

sourcetype=data | eventstats sum(purchases) as total|stats sum(purchases) as sum by username|eval percent=(sum/total)
Reply

watsm10
Communicator
‎08-22-2013 03:57 AM

From my understanding of your question, would it just be like this?

sourcetype=data | chart sum(purchases), avg(purchases) by username
0 Karma
Reply

malcolmtkelly
Explorer
‎08-22-2013 05:27 AM

That's not quite what I'm looking for. I am looking for a bar chart but based on the data the feeding it, the chart would look like:

userAaverage = 300
userBaverage = 750
userZaverage = 900
allUserAverage = 550

So four columns in total

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...