Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If I have a table with daily averages, how do I display the standard deviation of these averages at the bottom of the table as a consolidated result?

brutecat
Path Finder
‎05-31-2015 08:49 PM

Hi there,

I was wondering if someone could assist with the following.

I have a table built up as daily averages of 'duration' for events. The 'duration' here refers to the time it takes for the event to complete. I would like to display the standard deviation of these averages at the bottom of the table as a consolidated result. Is this possible in Splunk?

Thanks,

Stan

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-31-2015 09:49 PM

This is one of the cases where appendpipe is awesome and sounds like exactly what you're looking for. What happens is, this command takes the results you have before it, feeds it as input to a subsearch, and appends the results to your search.

Now you didn't state it explicitly, but I'm going to assume you have some EXISTING SEARCH that's producing a table of two fields (columns), day stating the day, and avgduration being the average duration for the given day.

Now if we want to add the standard deviation of the averages as a new row we just modify your search like so:

EXISTING SEARCH | appendpipe [stats stdev(avgduration) as stddev | eval day="ALL"]

Obviously you're able to rename the fields and use eval to tweak other values as you see fit within and outside of the search. Hope this helps!

View solution in original post

Reply
Solved! Jump to solution

ramdaspr
Contributor
‎05-31-2015 10:16 PM

Sure you can.
Since there isnt a data sample, I am assuming you have 2 columns, Event, Average

index=myindex | table Event,Average | append [search index=myindex | stats stdev(Average) as Average]

The idea is to calculate the std deviation separately and then append the results to your table. The renaming in the subsearch is so that the results are appended to the column Average.

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎06-01-2015 12:10 AM

While your solution would get you to the correct answer, in this case since the field and data that you're wanting to take the standard deviation of is already in the results of the table, you should prefer appendpipe as I had stated which lets you simply build from results you have already retrieved, instead of incurring a performance penalty by having to go all the way back to the indexes on disk (and possibly remote indexers) which is what would happen by doing an append search as you have suggested.

Reply
Solved! Jump to solution

ramdaspr
Contributor
‎06-01-2015 12:15 AM

Thanks 🙂 I wasnt aware of the appendpipe function

0 Karma
Reply
Solved! Jump to solution

jackson1990
Path Finder
‎05-31-2015 10:08 PM

Assuming your table has Duration_avg as fields,
Use the below command to find standardDeviation of a Field
| stats stddev() AS STDDEV
In your case,for ex:
| stats stddev(Duration_avg ) AS STDDEV

Hope it helps for you...

References:
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonStatsFunctions

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎06-01-2015 12:07 AM

Simply piping to stats would destroy the table, which since the OP asked to display the average of the standard deviations at the bottom of the table I'm assuming this was not the intention.

0 Karma
Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-31-2015 09:49 PM

This is one of the cases where appendpipe is awesome and sounds like exactly what you're looking for. What happens is, this command takes the results you have before it, feeds it as input to a subsearch, and appends the results to your search.

Now you didn't state it explicitly, but I'm going to assume you have some EXISTING SEARCH that's producing a table of two fields (columns), day stating the day, and avgduration being the average duration for the given day.

Now if we want to add the standard deviation of the averages as a new row we just modify your search like so:

EXISTING SEARCH | appendpipe [stats stdev(avgduration) as stddev | eval day="ALL"]

Obviously you're able to rename the fields and use eval to tweak other values as you see fit within and outside of the search. Hope this helps!

Reply
Solved! Jump to solution

brutecat
Path Finder
‎05-31-2015 10:04 PM

Hey acharlieh, thanks - perfect

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎06-01-2015 12:04 AM

You're welcome!

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...