Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to do average for differents persons

Abarny
Path Finder
‎03-06-2017 01:53 AM

Hi,

I have problem with an average, do you know how i can to do an average enter the max JourP and number where I have the ACResponse 200 but it's not for a single person. I need to do that for 8 persons differents on same times and do an average to this average for got just one number.
(Ex: Moyen= AppelID/max(JourP) where AppelId is 3 and JourP is 5)

alt text

I do that but I have a number truncated because i do average for day max and an average global and not personnal:

| table OCId ACResponse date_wday
| stats dc(date_wday) as nbpres, count as AppeID by ACResponse
| table nbpres,AppeID,ACResponse
| eventstats max(nbpres) as maxJourP
|eval MoyenNoDec=AppeID/maxJourP | where ACResponse="200" | table MoyenNoDec | stats avg(MoyenNoDec)

Thanks for your help

Preview file
11 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-06-2017 02:12 AM

Hi Abarny,
sorry but I don't understand your need:
do you want a table like the one in your screenshot?
or do you need to format your number?
If you insert a stats command at the end of your search you have only this value,
if you need to add avg(MoyenNoDec) to your search you have to insert it in the previous stats command or insert with the values option in the last stats command the other values you have, in other words, something like this:
stats values(nbpres) AS nbpres values(AppleID) AS AppleID values(ACResponse) AS ACResponse avg(MoyenNoDec)
why in the last stats command there isn't the BY clause?

In addition, in your search you don't need to insert the table commands between stats commands, in this way your search is slower!

Bye.
Giuseppe.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Abarny
Path Finder
‎03-06-2017 02:28 AM

I want to format a number. On screenshot, it's for one person but every Agent don't work 5 days, I do this table and just an average of all code 200 by maxJourP by Agent.
I want do that for différent person according to maxJourP and get average global.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-06-2017 02:12 AM

Hi Abarny,
sorry but I don't understand your need:
do you want a table like the one in your screenshot?
or do you need to format your number?
If you insert a stats command at the end of your search you have only this value,
if you need to add avg(MoyenNoDec) to your search you have to insert it in the previous stats command or insert with the values option in the last stats command the other values you have, in other words, something like this:
stats values(nbpres) AS nbpres values(AppleID) AS AppleID values(ACResponse) AS ACResponse avg(MoyenNoDec)
why in the last stats command there isn't the BY clause?

In addition, in your search you don't need to insert the table commands between stats commands, in this way your search is slower!

Bye.
Giuseppe.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-06-2017 02:49 AM

Hi Abarny,
OK, you can use appendcols or appendpipe commands

| your_search
| stats dc(date_wday) as nbpres, count as AppeID by ACResponse 
| eventstats max(nbpres) as maxJourP
|eval MoyenNoDec=AppeID/maxJourP 
| where ACResponse="200" 
| appendcols [ your_search | stats avg(MoyenNoDec)]

Bye.
Giuseppe

Reply
Solved! Jump to solution

Abarny
Path Finder
‎03-06-2017 02:54 AM

Thanks you !

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...