Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you find the average delta of sum of fields in multiple events?

tommasocurto
New Member
‎06-19-2018 11:10 AM

alt text

I need to be able to find the average of the daily delta of the sum of all BCP* fields and I am trying to do something like this:

...search...    
    | transaction _time
    | addtotals BCP* fieldname=bcp
    | delta bcp as delta_bcp
    | stats avg(delta_bcp)

But it doesn't work. How can I accomplish this?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-20-2018 01:16 AM

Hi @tommasocurto,

Try

your search |addtotals BCP* fieldname=bcp|timechart span=1d sum(bcp) as bcp|delta bcp as delta_bcp|fillnull value=0 delta_bcp|stats avg(delta_bcp)

you shall replace fillnull with your choice to adjust the average for the first value

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

pjdwyer
Explorer
‎06-20-2018 06:30 AM

To sum all of the BCP values you would need to use a case eval to make sure you capture all BCP values in a single event. Her is how I would do that:

| eval sumbcp=case(isnull(BCP3),BCP0+BCP1+BCP2,1=1,BCP0+BCP1+BCP2+BCP3)

The value in sumbcp would be the sum of all the BCP in the event. If BCP3 does not exist (it is null) it wont try adding it to the total, otherwise it will add BCP3.

The 1=1 is used as an else statement.

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-20-2018 01:16 AM

Hi @tommasocurto,

Try

your search |addtotals BCP* fieldname=bcp|timechart span=1d sum(bcp) as bcp|delta bcp as delta_bcp|fillnull value=0 delta_bcp|stats avg(delta_bcp)

you shall replace fillnull with your choice to adjust the average for the first value

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

tommasocurto
New Member
‎06-20-2018 08:22 AM

Thank you, this works just fine without "|fillnull value=0 delta_bcp".

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...