Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you find the average delta of sum of fields in multiple events?

tommasocurto
New Member
‎06-19-2018 11:10 AM

alt text

I need to be able to find the average of the daily delta of the sum of all BCP* fields and I am trying to do something like this:

...search...    
    | transaction _time
    | addtotals BCP* fieldname=bcp
    | delta bcp as delta_bcp
    | stats avg(delta_bcp)

But it doesn't work. How can I accomplish this?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-20-2018 01:16 AM

Hi @tommasocurto,

Try

your search |addtotals BCP* fieldname=bcp|timechart span=1d sum(bcp) as bcp|delta bcp as delta_bcp|fillnull value=0 delta_bcp|stats avg(delta_bcp)

you shall replace fillnull with your choice to adjust the average for the first value

Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution

pjdwyer
Explorer
‎06-20-2018 06:30 AM

To sum all of the BCP values you would need to use a case eval to make sure you capture all BCP values in a single event. Her is how I would do that:

| eval sumbcp=case(isnull(BCP3),BCP0+BCP1+BCP2,1=1,BCP0+BCP1+BCP2+BCP3)

The value in sumbcp would be the sum of all the BCP in the event. If BCP3 does not exist (it is null) it wont try adding it to the total, otherwise it will add BCP3.

The 1=1 is used as an else statement.

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-20-2018 01:16 AM

Hi @tommasocurto,

Try

your search |addtotals BCP* fieldname=bcp|timechart span=1d sum(bcp) as bcp|delta bcp as delta_bcp|fillnull value=0 delta_bcp|stats avg(delta_bcp)

you shall replace fillnull with your choice to adjust the average for the first value

Happy Splunking!
Reply
Solved! Jump to solution

tommasocurto
New Member
‎06-20-2018 08:22 AM

Thank you, this works just fine without "|fillnull value=0 delta_bcp".

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...