Splunk Search

## Can eval be used to calculate the standard deviation in multiple fields for a single event?

Path Finder

Is there a way to use eval to calculate the standard deviation of data in multiple fields (same number of fields each time) for a single event? Right now I am using an eval statement that writes out the entire Standard Deviation formula.

``````| eval StDev = round(pow((pow(field1-fieldsAvg, 2)+pow(field2-fieldsAvg, 2)+pow(field3-fieldsAvg, 2)+pow(field4-fieldsAvg, 2)+pow(field5-fieldsAvg, 2))/5, 1/2), 4)
``````

Each line of my table represents a different event that needs this calculation.

Tags (4)
Motivator

Since Standard deviation is calculated using average so I am assuming your field called `fieldsAvg` is the average of all the five fields. Which also makes me feel we can tweak your situation as follows:
- Make a new field called `myField` which has values from all the five fields. So if you have 3 events with 5 field values each, this new field will have 15 values to take care of all 5 fields for all 3 events.
- Calculate the stdev on this new field

``````your base query to return field1,field2,field3,field4,field5
| eval myField=mvzip(field1, mvzip(field2, mvzip(field3, mvzip(field4, field5))))
| mvexpand myField
| rex max_match=0 field=myField "(?<numbers>\d+)"
| stats stdev(numbers) as stdDeviation
``````
Path Finder

Yes, I do have the `fieldsAvg` calculated separately.

In your explanation, you say that 5 values from 3 events will all end up in `myField` together. What if I still want to keep the Standard Deviations separate by events?

Explorer

You could improve your current solution by making a macro out of it, which would be easier to use and maintain across different searches without worrying about a typo causing one of them to behave differently.

Champion

My understanding is there is no `eval` function that will calculate the standard deviation for fields in the same row.

Most of the `eval` functions are designed to be performed across all of the rows against specific fields (e.g., the standard deviation for your field "field1").