How would i find the average value of a certain field per a certain amount of events
i have 1000 events and in there i have a specific numerical field. what would i do if i wanted an average of every 10 events and wanted to display them in a new table. so my new table will have 100 events now each entry filled with the average of 10 events
This run-anywhere example may help.
| makeresults | eval fielda = "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40" | eval fielda=split(fielda,",") | mvexpand fielda `comment("Everything above just creates sample data")` | streamstats reset_after=(count==10) window=10 avg(fielda) count | where count=10 | fields - count
Just sort count, you'll see expected values:
index = INDEXNAME | streamstats count | eval count = count - 1, count = count - (count % 10) | stats avg(NUMERIC_FIELD) by count | sort count