Solved: Getting a wrong answer for the calculation of mean...

theouhuios · ‎10-26-2012

Hello

I am trying to calculate the mean of a field and it's strange that splunk cal the mean in a completely different manner.

week A B mean(B)
1 41 1290 0 0.000000
2 42 1372 82 82.000000
3 43 81 1291 1291.000000

As you can see above the value is kind of wrong. The command which I used was

sourcetype=incident record.affectedCI="xxxx"| eval week=tonumber(strftime(_time,"%U"))  | stats count by week | rename count as A |delta A as B | eval B=coalesce(B,0) | eval B = abs(B) | stats mean(B) by week A B

In my understanding of math it should have been (0+82+1291)/3 and it should have been the same value for all the weeks. Can anyone please let me know if I am missing something here.

Regards

theou

sowings · ‎10-26-2012

stats evaluates per-event, grouping by your differentiators (the by-clause). Try eventstats. In this case, an example invocation would be like this (replace the stats command at the end of your search):

| eventstats mean(B)

View solution in original post

sowings · ‎10-26-2012

stats evaluates per-event, grouping by your differentiators (the by-clause). Try eventstats. In this case, an example invocation would be like this (replace the stats command at the end of your search):

| eventstats mean(B)

theouhuios · ‎10-26-2012

Ahaa.. Got it. I understand it now on why it messed it up. Thanks for the clarification.

Getting a wrong answer for the calculation of mean in splunk

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)