Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get cumulative moving average?

brdennehy
Explorer
‎07-31-2019 07:36 AM

Hi guys,

I am trying to compute and chart the cumulative moving average (ref. of what is it:https://en.wikipedia.org/wiki/Moving_average#Cumulative_moving_average)

The point is that I am doing the following query:

host=SARITA source="login.csv" | reverse | accum elapsed_time as cumulative_elapsed_time | timechart span=5h last(cumulative_elapsed_time) by server

And what I get from it is the cumulative sum. Now what I still need is to get cumulative count (which means, for any "n" value, to get the amount n up to that point in time, but not the total amount of values of all that series), so I can divide the cumulative value by the cumulative count, thus having the cumulative average.

Please help me with this, as I am really stuck on it. Thank you very much in advance for your patience.

Best regards,
Brian

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2019 08:15 AM

Use the streamstats command to count the events.

host=SARITA source="login.csv" 
| reverse 
| streamstats count 
| accum elapsed_time as cumulative_elapsed_time 
| timechart span=5h last(cumulative_elapsed_time) by server

Even better would be to let streamstats do the moving average for you.

host=SARITA source="login.csv" 
| reverse 
| streamstats time_window=5h avg(elapsed_time) as AvgElapsedTime by server
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2019 08:15 AM

Use the streamstats command to count the events.

host=SARITA source="login.csv" 
| reverse 
| streamstats count 
| accum elapsed_time as cumulative_elapsed_time 
| timechart span=5h last(cumulative_elapsed_time) by server

Even better would be to let streamstats do the moving average for you.

host=SARITA source="login.csv" 
| reverse 
| streamstats time_window=5h avg(elapsed_time) as AvgElapsedTime by server
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

brdennehy
Explorer
‎07-31-2019 08:26 AM

Thanks!! I'll try the streamstats tomorrow.

The problem with your suggestion of making streamstats to do the moving average for me is that the time window must be from the first measure until that point n in question, and not 5h....

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2019 11:21 AM

I chose the time_window option based on your use of timechart span=5h, but you can use another option that works better for your use case.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

brdennehy
Explorer
‎08-01-2019 12:47 AM

Thanks man! I used the default (non specified) time-frame. I read that the limit is 10,000 events, but it's ok. I only have 2 events per day.

Thank you very much!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...