Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find average when using group by

balash1979
Path Finder
‎10-03-2019 07:03 AM

Here is my query 

index="search_index"   search processing_service | eval time_in_mins=('metric_value')/60 | stats avg(time_in_mins) by channel

By running this query, i get the following results
channel1 5.25
channel2 6.25
channel3 10.25

Basically, i get output of all the channels and their averages. how can I get only 1 value with the average of all the channel averages ?
I would like an output of my query as

Avg_of_all_channels 7.25

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎10-03-2019 01:15 PM

as @renjith.nair stated in the comments, I believe what you're after is simply

index="search_index"   search processing_service | eval time_in_mins=('metric_value')/60 | stats avg(time_in_mins) as all_channel_avg

which would just output one column named all_channel_avg and one row with the avg.

if you'd like both the individual channel avg AND the total avg, possibly something like:

index="search_index"   search processing_service | eval time_in_mins=('metric_value')/60 |eventstats avg(time_in_mins) as total_avg| stats values(total_avg) as all_channel_avg avg(time_in_mins) as channel_avg by channel

however, you might want to do a count and sum in the stats command and then the eventstats and some eval in order to not run eventstats before stats. 

index="search_index"   search processing_service | eval time_in_mins=('metric_value')/60| stats  avg(time_in_mins) as channel_avg sum(time_in_mins) as total_mins count as total_count by channel|eventstats sum(total_mins) as total_mins sum(total_count) as total_count|eval all_channel_avg=total_mins/total_count

again, that might actually need some work, as i'm currently really thinking that the math might not be right....

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎10-03-2019 01:15 PM

as @renjith.nair stated in the comments, I believe what you're after is simply

index="search_index"   search processing_service | eval time_in_mins=('metric_value')/60 | stats avg(time_in_mins) as all_channel_avg

which would just output one column named all_channel_avg and one row with the avg.

if you'd like both the individual channel avg AND the total avg, possibly something like:

index="search_index"   search processing_service | eval time_in_mins=('metric_value')/60 |eventstats avg(time_in_mins) as total_avg| stats values(total_avg) as all_channel_avg avg(time_in_mins) as channel_avg by channel

however, you might want to do a count and sum in the stats command and then the eventstats and some eval in order to not run eventstats before stats. 

index="search_index"   search processing_service | eval time_in_mins=('metric_value')/60| stats  avg(time_in_mins) as channel_avg sum(time_in_mins) as total_mins count as total_count by channel|eventstats sum(total_mins) as total_mins sum(total_count) as total_count|eval all_channel_avg=total_mins/total_count

again, that might actually need some work, as i'm currently really thinking that the math might not be right....

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-03-2019 07:33 AM

@balash1979,

What do you get after removing the by channel from the search ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

balash1979
Path Finder
‎10-03-2019 01:10 PM

Thanks. I just removed by channel and it worked. I was just overthinking.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...