Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rolling Averages

justx001
Explorer
‎10-14-2016 05:42 AM

I am having alot of trouble setting up rolling averages in Splunk. I would love to be able to overlay a 30, 60, 90 day trend line over my current trend line. this seems like a pretty standard function in analysis so I am sure im over looking some simple function? Is there documentation or guidance on how to set up rolling averages?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎10-14-2016 06:05 AM

You'll want to use streamstats to accomplish this

https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats

Try something like this

<your base search> | timechart count span=30d | streamstats window=20 avg(count) as avgCount | fields _time avgCount [search <your base search> | timechart count span=60d | streamstats window=20 avg(count) as avgCount | fields _time avgCount]

View solution in original post

Reply
Solved! Jump to solution

justx001
Explorer
‎10-14-2016 06:35 AM

Thank you very much for the quick reply, the reference and the example

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎10-14-2016 06:05 AM

You'll want to use streamstats to accomplish this

https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats

Try something like this

<your base search> | timechart count span=30d | streamstats window=20 avg(count) as avgCount | fields _time avgCount [search <your base search> | timechart count span=60d | streamstats window=20 avg(count) as avgCount | fields _time avgCount]

Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-14-2016 11:44 AM

As an addendum to this fabulous answer, @justx001 you might want to check out the trendline command as well, it has weighted and exponential moving averages as well.


| ... base search
| timechart count span=1d
| trendline sma10(count) as ten_day_simple_moving_average, wma30(count) as month_weighted_moving_average, ema7(count) as week_exponential_moving_average

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-14-2016 05:48 AM

use |streamstats

https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats

it's great for rolling averages. you can do multiple streamstats, one for the 30, 60, and 90 day windows.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...