Splunk Search

## Need to calculate weighted average across columns like addtotals does sum across columns (from chart command)

Path Finder

I have asked almost the same question here. I will try to explain my question better here

My command looks like this

``````... | stats sum(field1) as sumf1, sum(field2) as countf2 by  field3,field4  | eval avgf5 = (sumf1/countf2 )  | chart sum(avgf5) as avgf5 over field4 by  field3
``````

The chart command transposes field3 values across columns... This produces a tables with columns(that is equal to no of distinct field3 values) ....

If I want to have a sum across cols I can use addtotals What can I use for average(weighted) across cols? Can I write my own function?

Tags (3)
1 Solution
Splunk Employee

You should be able to make `field3` a multivalued field that contains its original value as well as the value `ALL` so that the `stats` command calculates the global sum and count for every value of `field4`, stored as `field3=ALL` and then aggregated properly later. Let's assume that `field3` never has commas in it:

``````... | eval field3 = field3 . ",ALL"
| makemv delim="," field3
| stats sum(field1) as sumf1, count(field2) as countf2 by field3 field4
| eval avgf5 = (sumf1/countf2)
| chart first(avgf5) over field4 by field3
``````

If field3 does have commas in it, you can just pick another delimiter.

Splunk Employee

You should be able to make `field3` a multivalued field that contains its original value as well as the value `ALL` so that the `stats` command calculates the global sum and count for every value of `field4`, stored as `field3=ALL` and then aggregated properly later. Let's assume that `field3` never has commas in it:

``````... | eval field3 = field3 . ",ALL"
| makemv delim="," field3
| stats sum(field1) as sumf1, count(field2) as countf2 by field3 field4
| eval avgf5 = (sumf1/countf2)
| chart first(avgf5) over field4 by field3
``````

If field3 does have commas in it, you can just pick another delimiter.

Path Finder

This solution is simply awesome....

Path Finder

Or When we use an avg function in chart command, is there a way to get overall average ?

Get Updates on the Splunk Community!

#### The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

#### Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

#### Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...