Splunk Search

## average for a field value per n number of events

Explorer

How would i find the average value of a certain field per a certain amount of events

Example:
i have 1000 events and in there i have a specific numerical field. what would i do if i wanted an average of every 10 events and wanted to display them in a new table. so my new table will have 100 events now each entry filled with the average of 10 events

Tags (2)
1 Solution
SplunkTrust

Try this,

``````index = INDEXNAME | streamstats count | eval count = count - 1, count = count - (count % 10) | stats avg(NUMERIC_FIELD) by count
``````
SplunkTrust

This run-anywhere example may help.

``````| makeresults | eval fielda = "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40"
| eval fielda=split(fielda,",")
| mvexpand fielda
`comment("Everything above just creates sample data")`
| streamstats reset_after=(count==10) window=10 avg(fielda) count | where count=10 | fields - count
``````
---
If this reply helps you, an upvote would be appreciated.
SplunkTrust

Try this,

``````index = INDEXNAME | streamstats count | eval count = count - 1, count = count - (count % 10) | stats avg(NUMERIC_FIELD) by count
``````
Explorer

this generates a weird count value. its goes 0,10,100,1000,10000,10010,10020,10030, whereas what we looking for is a 10,20,30,40,50 in the count

SplunkTrust

Just sort count, you'll see expected values:

``````index = INDEXNAME | streamstats count | eval count = count - 1, count = count - (count % 10) | stats avg(NUMERIC_FIELD) by count | sort count
``````
Explorer

this works thanks man

Did you miss .conf21 Virtual?

### Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Get Updates on the Splunk Community!