Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I get cumulative moving average?

brdennehy
Explorer
‎07-31-2019 07:36 AM

Hi guys,

I am trying to compute and chart the cumulative moving average (ref. of what is it:https://en.wikipedia.org/wiki/Moving_average#Cumulative_moving_average)

The point is that I am doing the following query:

host=SARITA source="login.csv" | reverse | accum elapsed_time as cumulative_elapsed_time | timechart span=5h last(cumulative_elapsed_time) by server

And what I get from it is the cumulative sum. Now what I still need is to get cumulative count (which means, for any "n" value, to get the amount n up to that point in time, but not the total amount of values of all that series), so I can divide the cumulative value by the cumulative count, thus having the cumulative average.

Please help me with this, as I am really stuck on it. Thank you very much in advance for your patience.

Best regards,
Brian

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2019 08:15 AM

Use the streamstats command to count the events.

host=SARITA source="login.csv" 
| reverse 
| streamstats count 
| accum elapsed_time as cumulative_elapsed_time 
| timechart span=5h last(cumulative_elapsed_time) by server

Even better would be to let streamstats do the moving average for you.

host=SARITA source="login.csv" 
| reverse 
| streamstats time_window=5h avg(elapsed_time) as AvgElapsedTime by server
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2019 08:15 AM

Use the streamstats command to count the events.

host=SARITA source="login.csv" 
| reverse 
| streamstats count 
| accum elapsed_time as cumulative_elapsed_time 
| timechart span=5h last(cumulative_elapsed_time) by server

Even better would be to let streamstats do the moving average for you.

host=SARITA source="login.csv" 
| reverse 
| streamstats time_window=5h avg(elapsed_time) as AvgElapsedTime by server
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

brdennehy
Explorer
‎07-31-2019 08:26 AM

Thanks!! I'll try the streamstats tomorrow.

The problem with your suggestion of making streamstats to do the moving average for me is that the time window must be from the first measure until that point n in question, and not 5h....

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2019 11:21 AM

I chose the time_window option based on your use of timechart span=5h, but you can use another option that works better for your use case.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

brdennehy
Explorer
‎08-01-2019 12:47 AM

Thanks man! I used the default (non specified) time-frame. I read that the limit is 10,000 events, but it's ok. I only have 2 events per day.

Thank you very much!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...