Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you find the average delta of sum of fields in multiple events?

tommasocurto
New Member
‎06-19-2018 11:10 AM

alt text

I need to be able to find the average of the daily delta of the sum of all BCP* fields and I am trying to do something like this:

...search...    
    | transaction _time
    | addtotals BCP* fieldname=bcp
    | delta bcp as delta_bcp
    | stats avg(delta_bcp)

But it doesn't work. How can I accomplish this?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-20-2018 01:16 AM

Hi @tommasocurto,

Try

your search |addtotals BCP* fieldname=bcp|timechart span=1d sum(bcp) as bcp|delta bcp as delta_bcp|fillnull value=0 delta_bcp|stats avg(delta_bcp)

you shall replace fillnull with your choice to adjust the average for the first value

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

pjdwyer
Explorer
‎06-20-2018 06:30 AM

To sum all of the BCP values you would need to use a case eval to make sure you capture all BCP values in a single event. Her is how I would do that:

| eval sumbcp=case(isnull(BCP3),BCP0+BCP1+BCP2,1=1,BCP0+BCP1+BCP2+BCP3)

The value in sumbcp would be the sum of all the BCP in the event. If BCP3 does not exist (it is null) it wont try adding it to the total, otherwise it will add BCP3.

The 1=1 is used as an else statement.

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-20-2018 01:16 AM

Hi @tommasocurto,

Try

your search |addtotals BCP* fieldname=bcp|timechart span=1d sum(bcp) as bcp|delta bcp as delta_bcp|fillnull value=0 delta_bcp|stats avg(delta_bcp)

you shall replace fillnull with your choice to adjust the average for the first value

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

tommasocurto
New Member
‎06-20-2018 08:22 AM

Thank you, this works just fine without "|fillnull value=0 delta_bcp".

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...