- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to calculate the average of a column, and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I displayed the list of people and their count by using the below search:
foo | stats dc(A) as people by B
which displayed as follows
people B
asd 23
sdas 32
Now how can I calculate the average of all the values in B and display the average in another column?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
foo | stats dc(A) as people by B|eventstats avg(people) as avgPeople|stats max(people) as people max(avgPeople) as avgPeople by B
something like this might be what you're looking for
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
foo | stats dc(A) as people by B|eventstats avg(people) as avgPeople|stats max(people) as people max(avgPeople) as avgPeople by B
something like this might be what you're looking for
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
now how can I display only the people with B values greater than avgPeople and also how to calculate their count?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
foo | stats dc(A) as people by B|eventstats avg(people) as avgPeople|stats max(people) as people max(avgPeople) as avgPeople by B|where people>avgPeople
calculate what count exactly? did you want to just add count to the first stats command and add max(count) as totalCount to the second command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would be really appriciate if you can suggest me a way to display a timechart which displays the avgpeople and people by B with time. @cmerriman
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
foo | stats dc(A) as people by B _time|eventstats avg(people) as avgPeople|timechart span=1d max(people) as people max(avgPeople) as avgPeople by B |where people>avgPeople
you might play around with the first stats command. maybe add a |bucket _time span=1d before it or something, depending on what your _time field looks like.
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
Introducing the Splunk Community Dashboard Challenge!
