Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate moving average and graph it as an overlay on a bar chart of actual values?

krwinters11
Path Finder
‎11-18-2014 01:09 PM

I am trying to calculate a moving average and overlay those values on a bar chart of actual values. This is what I have:

| streamstats window=7 avg(Value) AS AvgValue | chart values(AvgValue) AS "Moving Average", values(Value) AS "Actual Value" by _time

The window function doesn't seem to be working. Every point has a different value for moving average; it should be every 7 points, unless I am misunderstanding how splunk is calculating the value.

Any suggestions would be great! Regards.

Reply
1 Solution
Solved! Jump to solution
Solution

bmunson_splunk
Splunk Employee
Splunk Employee
‎11-18-2014 02:39 PM

No you are misunderstanding the way these averages are calculated. Point 7 will be the average of points 1-7 but point 8 is the average of 2-8, point 9 is the average of 3-9 and so on. Point 14 is 8-14 but there are 6 points between 7 and 14 giving the jerky appearance.

View solution in original post

Reply
Solved! Jump to solution

bmunson_splunk
Splunk Employee
Splunk Employee
‎11-18-2014 02:50 PM

If all you want is a smoother graph, that can be achieved with an average of averages. It is mathematically questionable but does reduce the jagged effect when plotted. Try something like this.

earliest=-24h@h sourcetype=access*| timechart  span=10m sum(bytes) as bytes | streamstats avg(bytes) as av1 window=5 | streamstats avg(av1) as av2 window=3
0 Karma
Reply
Solved! Jump to solution
Solution

bmunson_splunk
Splunk Employee
Splunk Employee
‎11-18-2014 02:39 PM

No you are misunderstanding the way these averages are calculated. Point 7 will be the average of points 1-7 but point 8 is the average of 2-8, point 9 is the average of 3-9 and so on. Point 14 is 8-14 but there are 6 points between 7 and 14 giving the jerky appearance.

Reply
Solved! Jump to solution

krwinters11
Path Finder
‎11-19-2014 09:34 AM

You are right, streamstats and trendline both work. I misunderstood the way the averages are calculated. Thanks!

0 Karma
Reply
Solved! Jump to solution

krwinters11
Path Finder
‎11-19-2014 09:37 AM

If you convert it to an answer, I'll accept it.

0 Karma
Reply
Solved! Jump to solution

bmunson_splunk
Splunk Employee
Splunk Employee
‎11-18-2014 02:11 PM

streamstats and trendline can both create moving averages but they do not reduce the granularity of the line. It will still look as "jerky" but they are accurate averages. Increasing the window will make it look smoother.

earliest=-24h@h sourcetype=access*| timechart  span=10m sum(bytes) as bytes | streamstats avg(bytes) as av1 window=5 | streamstats avg(bytes) as av2 window=50
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-27-2015 04:14 PM

@bmunson_splunk I tried this and eventually got it to work. But can you clarify what as av1 window=5 will that be the average of tje 1st 10min slot to the 5th 10min slot, and this average is put in the 5th slot, and not put in the 6th slot.

Slots10min  totalPerslot    av1     
slot1   10  10  <<-average of slot1 
slot2   11  10.5    <<-average of slot1-slot2   
slot3   12  11  <<-average of slot1-slot3   
slot4   13  11.5    <<-average of slot1-slot4   
slot5   14  12  <<-average of slot1-slot5   
slot6   15  13      
slot7   16  14      
slot8   17  15      
slot9   18  16      
slot10  19  17
0 Karma
Reply
Solved! Jump to solution

BobM
Builder
‎04-27-2015 04:44 PM

The as av1 just tells splunk to name the average av1.

window=5 says take the average over 5 events (by default) including this one. So the average of slot 1-5 goes in slot 5 , 2-6 in slot 6 and so on. But there is an extra option you can say, current=false. This will then over ride the default and use the previous 5 not including the current one. So slot6 has the average of 1-5, slot7 has 2-6 and so on.

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-18-2014 01:28 PM

Sounds like you're looking for trendline. See the docs here.

Reply
Solved! Jump to solution

krwinters11
Path Finder
‎11-18-2014 02:21 PM

trendline seems to react the same as the stream stats function above
still jerky like bmunson_splunk mentioned in the above comment. Unless I am misunderstanding the way that Splunk is calculating, it should be averaging 7 points and the 14 and then 21 so the plots should only be every 7 events.

0 Karma
Reply
Solved! Jump to solution

krwinters11
Path Finder
‎11-18-2014 01:17 PM

It looks like a central moving average would use a window with the point in the center. I'm not sure splunk is doing this(?). It looks as though it is calculating the average using all data up to that point. which is why it is different for each point. http://en.wikipedia.org/wiki/Moving_average

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top