Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I calculate median values for the column for 7 weeks?

belts
New Member
‎08-27-2018 01:44 AM

Dear all,

There are two columns with data: time (time scale in steps of 10 minutes) and val (amount of transactions).
I need to calculate median values (med_val) for the val column for 7 weeks. The specific example for the point 12.04.2018 15:00:00 med_val = median ( val by 7 points. 5.04.2018 15:00:00, 29/03/2018 15:00:00, 22/03/2018 15:00:00, 15/03/2018 15:00:00, 8/8/2018 15:00:00, 03/03/2018 15:00:00, 22/02/2018 15:00:00), i.e. so median at 7 same time points on the same days of the week. If there are no data, then we consider that 0 transactions were performed.

The best that I could come up with is:

| timechart span=10m median(val) | timewrap 1w series=exact

Are there any good solutions?

Thanks in advance!

0 Karma
Reply

DalJeanis
Legend
‎08-27-2018 08:41 AM

To accomplish this, you need to move each of the data points onto the same _time scale.

Here's one way

  index=_audit  earliest=-7w@d latest=@d
| bin _time span=10m 
| stats count as val by _time 
| makecontinuous _time span=10m
| fillnull value=0 val
| rename COMMENT as "The above provides run-anywhere sample data"

| rename COMMENT as "Find the latest time, then recalculate every week to put all records into the same (current) week"
| eventstats max(_time) as maxtime 
| eval _time=maxtime - (  (maxtime - _time) % 604800) 

| rename COMMENT as "display results.  For reference while testing, include number of weeks"
| timechart span=10m median(val) as med_val count as nbr_weeks

| rename COMMENT as "kill prior 6 weeks of now-empty rows"
| where _time > relative_time(now(),"-7d@d")
0 Karma
Reply

vishaltaneja070
Motivator
‎08-27-2018 05:02 AM

Query looks great. Go Ahead!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...