Splunk Search

## How to get the average of two fields and compare with last event?

Contributor

I have a simple search like

``````index=main sourcetype=performance Status=*
| eval Status = if(Status=="S","Success","Error")
``````

Then I should have a count for each status, example 50 Success and 20 Errors.
Then get the average of those two counts, and finally compare this average to last event so I can get the average difference to the last event.
How can achieve this?

Tags (4)
1 Solution
Esteemed Legend

The basic answer is very easy; like this:

`````` index=main sourcetype=performance Status=* | eval Status = if(Status=="S","Success","Error") | stats count BY Status
``````

The problem is the "compare to last event" part, which doesn't make sense to me.

Esteemed Legend

The basic answer is very easy; like this:

`````` index=main sourcetype=performance Status=* | eval Status = if(Status=="S","Success","Error") | stats count BY Status
``````

The problem is the "compare to last event" part, which doesn't make sense to me.

Contributor

This pretty much solves the problem, just need to get the average of errors and success now...

Contributor

My data is similar to this line:

``````05112015ZK00S09MAIN
05112015ZK00S14MAIN
05112015ZK00E65MAIN
05102015ZK00E22MAIN
05102015ZK00S01MAIN
``````

Where the "S" or "E" stands for Status.
So I should get the average of events with Success, the average of Errors.
They were both extracted positional regex as "Status"
How can I get the average of'em ?

SplunkTrust

I'm sorry but this question doesn't make any sense so I think you're just asking it in a confusing way. "the average of events with Success, the average of Errors" makes very little sense.

Do you want to end up with a single overall average success rate like 37%?

If so then
```index=main sourcetype=performance Status=* | eval foo=1 | chart count over foo by Status | eval ratio=100* (S/E) | eval ratio=ratio + "%"``` will do the trick.

But this wouldn't incorporate your other requirement, "compare this average to last event so I can get the average difference to the last event" which still doesn't make sense.

Contributor

Well, this person asked us to get a deviation of average status error / success, I'm not acctually sure if this is possible. He wants a red/yellow/green light indicator to show if the deviation is higher less then 30%, less then 50% or higher then 50% deviation

Esteemed Legend

I agree; you gave us the 1st part (sample events) but not the 2nd part (mockup of final desire).

SplunkTrust

Are these individual events single-line events with only one value for Status each, that then are written out in big groups of events, where each group for you constitutes some "event" in the real world?
Or are these events large multiline events with multiple values of Status in each?

Esteemed Legend

I do not understand. Show sample events and mockup of desired final data.

Get Updates on the Splunk Community!

#### 3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

#### What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

#### Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...