How to create a search that finds the average of t...

kishan2356 · ‎04-05-2022

I have an search where I need to find the average of the last three bins. Example: On my time filter I select an range of 10:00 - 10:30. I need to find the average of ONLY the first three bins 581, 698, and 247. How can I create a search that does this?

On this dashboard I use an time picker so the search would need to be dynamic, as there would be new time inputs.

_time	Count
10:00	581
10:05	698
10:10	247
10:15	987
10:20	365
10:30	875

bowesmana · ‎04-05-2022

How do you want to display that, as a single value somewhere or in the same table as your example. There are several ways to calculate that. Note that you mention both first and last - but imply earliest in your numbers.

Note that you can always make a base search if you have data in one dashboard panel that is used by another and add whatever you need to a post processing search for the average.

If you simply want the average of the 3 as a value somewhere, take the last two lines of this.

| makeresults
| eval _raw="_time	Count
10:00	581
10:05	698
10:10	247
10:15	987
10:20	365
10:30	875"
| multikv forceheader=1
| eval _time=strptime(time, "%H:%M")
| table _time Count
| head 3
| stats avg(Count) as Count

or as a rolling average of the 3 bins, use this instead of the last two lines above

| streamstats window=3 avg(Count) as AvgCount

If that doesn't help, please clarify how you want to use this value

How to create a search that finds the average of the last three bins?

count

stats

subsearch

timechart

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?