Solved: Average command vs count and average command

ranjitbrhm1 · ‎04-28-2018

Maybe im just bad in mathematics. but why does splunk docs always take the count of events and then the avg of events (stats count(events) | stats avg(events) instead of stats avg events directly?

can someone please explain the logic to me?

TISKAR · ‎04-29-2018

Hello,

The avg function applie to number field avg(event) the event is number, you can apply avg directly to the field that have the number value without use stats count, and when you use | stats count | stats avg the avg look only to the result give by stats count
For example:

 stats count as a by field | stats avg(a)

can you share the link of docs please

Regards

View solution in original post

TISKAR · ‎04-29-2018

Hello,

The avg function applie to number field avg(event) the event is number, you can apply avg directly to the field that have the number value without use stats count, and when you use | stats count | stats avg the avg look only to the result give by stats count
For example:

 stats count as a by field | stats avg(a)

can you share the link of docs please

Regards

FrankVl · ‎04-29-2018

Can you provide a link to an example of that? The way you quoted it here it doesn’t make too much sense to me...

Average command vs count and average command

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation