Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- time picker average if selected more than one day

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

time picker average if selected more than one day

VI371887

Path Finder

12-18-2018
10:52 PM

Hi All.

I need help regarding one my query, shown below

```
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart sum(PERCENT90) over FUNCTION by source
```

Now if i run this query over the 7 days period, ideally i should get day 1 SUM to day 7th SUM averaged by 7

for example

DAY 1 Day 2 Day 3 Day 5 Day 5 Day 6 Day 7

1 2 3 4 5 6 7

is should 28/7 which is 4 similarly if we add day 8 data as 8

result should be 36/8 which is 4.5

but what I am getting is for 7 days 28 and fro 8 day as 36 😞

Can anyone help me understand what i am missing..

Yes I could use avg(PERCENT90) but each Function field holds 2 to 3 values of ACTION their own which needs to be grouped under each function.

The problem is that i want to sum action values that are their in some of the functions for example below is the output requested..

```
FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
CONSULT | | 10.115
```

Now some of the function like COM has sub values which needs to be sum up..

so COM has sub values :

COM1 : 2

COM2 : 4

COM3 : 6

so i need "**COM**" function's value as 12 so if i am using **avg(PERCENT90)** i get is 12/3

if I am using the belowquery

```
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: time picker average if selected more than one day

richgalloway

SplunkTrust

12-19-2018
06:50 AM

Do you get the right results when you use `avg(PERCENT90)`

instead of `sum(PERCENT90)`

?

---

If this reply helps you, an upvote would be appreciated.

If this reply helps you, an upvote would be appreciated.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: time picker average if selected more than one day

VI371887

Path Finder

12-20-2018
09:45 PM

Yes I could use avg(PERCENT90) but

each Function field holds 2 to 3

values of ACTION their own which needs

to be grouped under each function.

The problem is that i want to sum action values that are their in some of the functions for example below is the output requested..

```
FUNCTION | HK | SG
AGE |107.773 | 120.644
CLT |49.206 | 37.6
COM | 12 | 61.778
RIO |56.803 |
CONSULT | | 10.115
```

Now some of the function like COM has sub values which needs to be sum up..

so COM has sub values :

COM1 : 2

COM2 : 4

COM3 : 6

so i need "**COM**" function's value as 12 so if i am using **avg(PERCENT90)** i get is 12/3

if I am using the belowquery

```
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: time picker average if selected more than one day

macadminrohit

Contributor

12-19-2018
02:39 PM

From what i can infer from your query , you should see results in this fashion :

FUNCTION DAY1 DAY2 DAY3 DAY4 DAY5 DAY6 DAY7

Fun1 3 4 5 6 7 8 9

If you are running the search over 7 days, then how is it calculating the average . From what i see it will calculate the sum for all the `values`

of `PERCENT90`

field and show you in the chart fashion. Also does `source`

has the values `DAY1`

`DAY2`

and so on ?

Can you show some sample data set ?

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: time picker average if selected more than one day

VI371887

Path Finder

12-20-2018
10:08 PM

Yes, it looks like below with above query

FUNCTION | HK | SG

AGE |107.773 | 120.644

CLT |49.206 | 37.6

COM | 12 | 61.778

RIO |56.803 |

CONSULT | | 10.115

but if i am using time picker for 7 days i will be getting sum of AGE function 7 times

FUNCTION | HK | SG

AGE |754.411 | 844.508

I want to get the average instead of **107.773 x 7** & **120.644 x7** for all functions.

so if i use

```
index=int_app source="City_APP*" FUNCTION=* ACTION=* | chart avg(PERCENT90) over FUNCTION by source
```

I get the desired result for function which have only one sub-value but if there's a function with more sub value it even averages the values under it for example :

function like COM has sub values which needs to be sum up..

so COM has sub values :

COM1 : 2

COM2 : 4

COM3 : 6

so i need "COM" function's value as 12 so if i am using avg(PERCENT90) i get is 12/3

So requirement is sub-values under functions should be summed up only and not average and once they are summed up under Function for a particular day. Once achieved sum of sub-values under a function for the day i want to do a average of function's value by cities.

Function HK SG