Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my current search to find the average?

vtsguerrero
Contributor
‎03-10-2015 12:43 PM

Hello guys! Sup?
Can anyone help me to get the average of all current search events and not only the first ones. I have this search below which has everything I need, but just missin' the correct average. How can I achieve the correct average and variation:

index=main sourcetype=main_pc BOTH=* TABLE_VALUE=* PROCESS_NAME=* 
| eval PROCESS=PROCESS_NAME
| eval VOLUME=(BOTH+TABLE_VALUE)  
| streamstats avg(VOLUME) as AVERAGE
| eval VARIATION=((1-(VOLUME/AVERAGE))*100) 
| fieldformat VARIATION=round(VARIATION, 2) 
| table PROCESS_NAMEVOLUMEAVERAGE VARIATION
| rangemap field=VARIATION low=0-20 elevated=20.01-50 severe=40.01-100 default=low

And we get results with different values for each table row, should be the same for this amount of data returned by this current search and time period.

Tags (3)
0 Karma
Reply

maciep
Champion
‎03-11-2015 07:33 PM

Maybe you want to use eventstats instead of streamstats?

http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...