Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the average base on line number?

samlinsongguo
Communicator
‎05-30-2018 10:27 PM

Hi
I have a table as below, each time run the query it may return different result

run 1
day1 10
day2 20
day3 25

run second time
day1 10
day2 20
day3 30
day4 10

I want to calculate the average base on how many line there are. So for each table will be calculate as below
day1 10
day2 20
day3 25
avgT 18.333
calculation: (10+20+25)/3=18.333

day1 10
day2 20
day3 30
day4 10
avgT 17.5
Calculation: (10+20+30+10)/4=17.5

Any suggestion how I can achieve that?
Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-31-2018 07:00 AM

@samlinsongguo please try the following run anywhere search example. Commands from | makeresults till | table Days Count generates the table as per the question:

|  makeresults
|  eval data="day1 10;day2 20;day3 30;day4 10"
|  makemv data delim=";"
|  mvexpand data
|  makemv data delim=" "
|  eval Days=mvindex(data,0),Count=mvindex(data,1)
|  fields - _time data
|  table Days Count
|  streamstats count as sno
|  addcoltotals Count labelfield=Days label=AvgT
|  filldown sno
|  eval Count=if(Days=="AvgT",round(Count/sno,2),Count)
|  fields - sno

If the fields in the table above are Days and Count, you need to add the following code in your existing search:

<yourCurrentSearch>
    |  streamstats count as sno
    |  addcoltotals Count labelfield=Days label=AvgT
    |  filldown sno
    |  eval Count=if(Days=="AvgT",round(Count/sno,2),Count)
    |  fields - sno
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-31-2018 07:00 AM

@samlinsongguo please try the following run anywhere search example. Commands from | makeresults till | table Days Count generates the table as per the question:

|  makeresults
|  eval data="day1 10;day2 20;day3 30;day4 10"
|  makemv data delim=";"
|  mvexpand data
|  makemv data delim=" "
|  eval Days=mvindex(data,0),Count=mvindex(data,1)
|  fields - _time data
|  table Days Count
|  streamstats count as sno
|  addcoltotals Count labelfield=Days label=AvgT
|  filldown sno
|  eval Count=if(Days=="AvgT",round(Count/sno,2),Count)
|  fields - sno

If the fields in the table above are Days and Count, you need to add the following code in your existing search:

<yourCurrentSearch>
    |  streamstats count as sno
    |  addcoltotals Count labelfield=Days label=AvgT
    |  filldown sno
    |  eval Count=if(Days=="AvgT",round(Count/sno,2),Count)
    |  fields - sno
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

samlinsongguo
Communicator
‎05-31-2018 05:26 PM

This is so smart Thank you so much

Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...