Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Showing mean() and avg() side by side

Gunnar
Explorer
‎10-08-2021 02:56 AM

Hi all,

strange thing - when using mean() and avg() in the same stats command, whichever is written first is empty, while the second value  is shown with the correct result.

... | stats mean(Capacity) avg(Capacity)

mean(Capacity)avg(Capacity)
 20.71428

 

... | stats  avg(Capacity) mean(Capacity)

avg(Capacity) mean(Capacity)
 20.71428

 

I know they are basically the same values. But why can't I show them side by side?

Each function on its own is working fine.

Also adding any of the other statistical functions is no problem, just avg() and mean() don't go together.

Why?

I'm on 8.2.0 at the moment.

Thank you very much and kind regards,

Gunnar

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-08-2021 07:07 AM

From the job log:

10-08-2021 16:03:36.510 INFO  StatsProcessorV2 [10773 searchOrchestrator] - StatsProcessorV2::processArguments: Unaligned accesses are free
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function list for key=Capacity, alias=list(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function min for key=Capacity, alias=min(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function max for key=Capacity, alias=max(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function mean for key=Capacity, alias=avg(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function median for key=Capacity, alias=median(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function range for key=Capacity, alias=range(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Found existing Stats function  mean for key=Capacity alias changed to mean(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function stdev for key=Capacity, alias=stdev(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function var for key=Capacity, alias=var(Capacity)

See the 3rd line from the bottom. Apparently Splunk notices that those two functions are equivalent to each other and decides it won't calculate values twice. Why it doesn't display the resulting value anyway beats me.

View solution in original post

Reply
Solved! Jump to solution

ashvinpandey
Contributor
‎10-08-2021 07:15 AM

@Gunnar Try using the below one:

| stats avg(Capacity) as Avg_Capacity mean(Capacity) as Mean_Capacity

OR

| chart avg(Capacity) as Avg_Capacity mean(Capacity) as Mean_Capacity

Also, If this reply helps you, a thumbs-up would be appreciated.

0 Karma
Reply
Solved! Jump to solution

Gunnar
Explorer
‎10-08-2021 07:28 AM

Hi,

first option doesn't make a difference - same result.

Using chart doesn't work either but returns an interesting error message:

"Error in 'chart' command: The specifier 'mean(Capacity)' is specified multiple times"

Which goes back to the reply from @PickleRick and what the log shows - apparently Splunk sees avg() and mean() as the same function and computes it only once in the same command.

Thank you,

Gunnar

0 Karma
Reply
Solved! Jump to solution

ashvinpandey
Contributor
‎10-08-2021 07:33 AM

@Gunnar Try this once:

| eventstats avg(Capacity) as Avg_Capacity
| stats mean(Capacity) as Mean_Capacity
| table Avg_Capacity Mean_Capacity
0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-08-2021 07:07 AM

From the job log:

10-08-2021 16:03:36.510 INFO  StatsProcessorV2 [10773 searchOrchestrator] - StatsProcessorV2::processArguments: Unaligned accesses are free
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function list for key=Capacity, alias=list(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function min for key=Capacity, alias=min(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function max for key=Capacity, alias=max(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function mean for key=Capacity, alias=avg(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function median for key=Capacity, alias=median(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function range for key=Capacity, alias=range(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Found existing Stats function  mean for key=Capacity alias changed to mean(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function stdev for key=Capacity, alias=stdev(Capacity)
10-08-2021 16:03:36.510 INFO  StatsAggregations [10773 searchOrchestrator] - Instantiating Stats function var for key=Capacity, alias=var(Capacity)

See the 3rd line from the bottom. Apparently Splunk notices that those two functions are equivalent to each other and decides it won't calculate values twice. Why it doesn't display the resulting value anyway beats me.

Reply
Solved! Jump to solution

Gunnar
Explorer
‎10-08-2021 07:32 AM

Thanks for looking at the logs.

So there actually is no separate avg() function - its just a fallback to mean().

That's not what I expected but probably explains it.

BR!

Gunnar

0 Karma
Reply
Solved! Jump to solution

Gunnar
Explorer
‎10-08-2021 02:58 AM

For testing:

| makeresults 
| eval _raw="Date,Name,Capacity
 2020-01-01,VM1,5
 2020-01-02,VM2,5
 2020-01-03,VM4,5
 2020-01-04,VM1,10
 2020-01-05,VM2,10
 2020-01-06,VM4,10
 2020-01-07,VM1,10
 2020-01-08,VM2,10
 2020-01-09,VM1,15
 2020-01-10,VM2,15
 2020-01-11,VM1,15
 2020-01-12,VM2,15
 2020-01-13,VM1,15
 2020-01-14,VM2,20
 2020-01-15,VM3,20
 2020-01-16,VM1,20
 2020-01-17,VM2,25
 2020-01-18,VM3,25
 2020-01-19,VM3,50
 2020-01-20,VM3,55
 2020-01-21,VM3,80 "
 | multikv forceheader=1
 | eval _time=strptime(Date, "%Y-%m-%d")
 | fields Capacity
 | stats list(Capacity) min(Capacity) max(Capacity) avg(Capacity) median(Capacity) range(Capacity) mean(Capacity) stdev(Capacity) var(Capacity)

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...