Splunk Search

Calculate the average of count per day

JyotiP
Path Finder

I am fetching production data like the number of completed for the last 7 days for different procustion customer and I want to find the average order per production customer per day, I have used the following query but it is giving me the blank value in the average column

 Level = "INFO" PartnerToken IN ("ProductionTenant1","ProductionTenant2","ProductionTenant3","ProductionTenant4","ProductionTenant5","ProductionTenant6")
 OperationName="Complete Order" 
 | dedup OperationId 
 | stats avg(count) as count by PartnerToken
Tags (1)
0 Karma
1 Solution

Sukisen1981
Champion

hi @JyotiP
You don't need an avg(count)
| stats count as avg_count by PartnerToken

Basically the count by the partnertken is the average, since the partnertoken's are distinct.
its like sum (2)= avg(2/1)

View solution in original post

0 Karma

Sukisen1981
Champion

hi @JyotiP
You don't need an avg(count)
| stats count as avg_count by PartnerToken

Basically the count by the partnertken is the average, since the partnertoken's are distinct.
its like sum (2)= avg(2/1)

View solution in original post

0 Karma

JyotiP
Path Finder

@Sukisen1981: But for ProductionTenant5 I am getting count is 40 and this is total order placed by the customer in the last 7 days, according to the math is should be 40/7 which is ~5.7

0 Karma

Sukisen1981
Champion

the problem with your code is when you do an avg(count) in stats, there is no count field to do an average of.
if you do something like - |stats count as xxx by yyy|stats avg(xxx) by yyyy
you will get results, but when you try to do an avg(count) in the first stat, there is no count field at all as it is not a auto extracted field.
assuming you are running the query for the last 7 days, you can try this
| timechart span=7d avg(count) as avg_count by PartnerToken

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!