Re: How to calculate moving average based on 2 fie...

ADRIANODL · ‎09-30-2018

Hi Splunkers,
Suppose I have 2 values in my seach:

Date, # of items purchased, UnitPrice
Day1, 4, 0.12
Day2, 10, 0.10
Day3, 25, 0.19
Day4, 100, 0.15

I want to calculate the average item price throughout time. I hope this question makes sense.

Cheers,

himpor · ‎03-05-2019

base query
| eval purchase_price = (unit_price * no_of_items)
| stats avg(purchase_price)

himpor · ‎02-27-2019

[your search ] | eval purchaseprice = (item_no * unit_price) | eval total_items = sum(item_no) | eval totalpurchaseval = sum(purchaseprice) | eval averageitemprice= totalpurchaseval/total_items

493669 · ‎09-30-2018

If you want avg for item price then try below-

|eventstats avg(UnitPrice) as avg|eval avg=round(avg,2)

ADRIANODL · ‎10-01-2018

Sorry but this doesn't solve my problem since the average I want to calculate is derived from # of items purchased AND UnitPrice.

493669 · ‎10-01-2018

@ADRIANODL, So what is the expected output?
like for # of items purchased=4 and UnitPrice=0.12 then how avg is required to be calculated?

ADRIANODL · ‎10-01-2018

Hi mate,
If for example, I buy 4 apples for 2 dollars each on day one, and 6 apples for 3 dollars each on day two, the average cost of my apples is calculated somehow like that:

Total average is ((4 x$2) + (6 x $3))/(4+6) = 2.6 dollars average per apple.

Now imagine I have X number of days, with different amounts of apples, and different value amounts).

I'm having a hard time translating this equation into splunk commands.

493669 · ‎10-01-2018

try this run anywhere search-

| makeresults |eval  apple=4,price=2|append[| makeresults |eval  apple=6,price=3]|eval product=apple*price|eventstats sum(apple) as sumApple, sum(product) as sumproduct|eval avg=sumproduct/sumApple|fields apple price avg

How to calculate moving average based on 2 fields?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector