Solved: Re: Stats count and average

rhinomike · ‎01-23-2015

I have a log that more or less looks like:

 timestamp=1422006650  from=bob@sender.com to=alice@receiver.com subject="I love you honey" score=100 
 timestamp=1422007650    from=bob@sender.com to=alice@receiver.com subject="I love you honey" score=100 
 timestamp=1422008650    from=eve@sender.com to=alice@receiver.com subject="I loved him first" score=100
 timestamp=1422009650    from=eve@sender.com to=alice@receiver.com subject="I loved you first" score=50
 timestamp=1422009750    from=eve@sender.com to=alice@receiver.com subject="I loved him  first" score=10

I am now trying to perform a stats like

from                    subject                 count_to    avg_score
bob@sender.com          I love you honey       2       100
eve@sender.com          I loved you first      1       50
eve@sender.com          I loved him first      2       55

If I'm not mistaken, I can use:

stats count by from,to, subject to build the four first columns, however it is not clear to me how to calculate the average for a particular set of values in accordance with the first round of stats.

Is it possible?

aweitzman · ‎01-23-2015

This should work:

... | stats count as count_to avg(score) as avg_score by from subject

View solution in original post

aweitzman · ‎01-23-2015

This should work:

... | stats count as count_to avg(score) as avg_score by from subject

rhinomike · ‎03-01-2015

Solved it perfectly. Thanks

Stats count and average

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation