Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the average for all values in a single column?

jpolcari
Communicator
‎04-20-2016 06:38 AM

This one seems pretty straight forward, but I haven't been able to find an answer anywhere. I'm looking to calculate the average for all the values in a single column, kind of like addcoltotals. Example of what I am trying to achieve:

User        Time(Hours)
user1       1.2
user2       2.0
user3       0.5
            (average here)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎04-20-2016 07:01 AM

You can do it like this

yoursearchhere
| stats sum(Time) as totalTime by User
| appendpipe [ stats avg(totalTime) as totalTime | eval User = "Average Time" ]
| rename totalTime as "Time (Hours)"

The appendpipe commands examines the results in the pipeline, and in this case, calculates an average. The results of the appendpipe command are added to the end of the existing results. Notice that I used the same field names within the appendpipe command, so that the new results would align in the same columns.

View solution in original post

Reply
Solved! Jump to solution

jotne
Builder
‎06-04-2022 01:14 AM

I did found an better way to do this.

 

 

| makeresults | eval value = "1.2 2.5 0.5" | makemv value | mvexpand value
| eval count=1
| addcoltotals
| eval value=if(count>1,value/count,value)
| fields - count

 

 

Result

 

 

_time	        value
2022-06-04 10:08:55	1.2
2022-06-04 10:08:55	2.5
2022-06-04 10:08:55	0.5
 	                1.4

 

 

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎04-20-2016 07:52 AM

You would think that there would be a "family" of commands similar to addcoltotals, such as addcolaverage...

0 Karma
Reply
Solved! Jump to solution

jpolcari
Communicator
‎04-20-2016 07:57 AM

That is what I was hoping for. Maybe one day!

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎04-20-2016 07:01 AM

You can do it like this

yoursearchhere
| stats sum(Time) as totalTime by User
| appendpipe [ stats avg(totalTime) as totalTime | eval User = "Average Time" ]
| rename totalTime as "Time (Hours)"

The appendpipe commands examines the results in the pipeline, and in this case, calculates an average. The results of the appendpipe command are added to the end of the existing results. Notice that I used the same field names within the appendpipe command, so that the new results would align in the same columns.

Reply
Solved! Jump to solution

jpolcari
Communicator
‎04-20-2016 07:06 AM

Thank you! That is exactly what I needed.

0 Karma
Reply
Solved! Jump to solution

jperezes
Path Finder
‎02-10-2017 12:13 PM

I am trying to do something similar, but this solution is not working to me.
avg(totalTime) returns totalTime as it is the average of a single value. So I end up with a table for total times by user instead of the average by user.
I had to add the total number of occurrences and at the end divide the total value for the number of occurrences per user.

rgds,
Juan

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top