hi, @ITWhisperer i tried and the table only has averages for few Groups. It doesn't show averages for all the groups.

Can you share you full search? (In a code block </> preferably)

Hi @ITWhisperer , This is my sample data. This is only for one Task_no. There are many Tasks under a Group, likewise there are many Groups also.

"Task_no":"5",

"Group": "G1",

"EXECUTION_DATE":1648081994535,

"STATUS":"FAILURE",

"DURATION":1951628

And this is the search i'm using,

| bucket _time span=1d
| stats distinct_count(Task) as counts by _time Group| stats avg(counts) as AverageCountPerDay by Group

Actually i have table which combines all some of the calculated data using JOIN. The query is too big so only posted the search for the average. I have been trying to calculate average and trying to combine the data to my table. But the query which i used does not give the values correctly. I find the averages separately for a Group like this,

|timechart span=1d distinct_count(Task) as Count| stats avg(Count) as Average

Timechart will fill in the blanks in your time range so you could end up with zeroes for some days. This will bring the average down, when compared to taking the average of the non-zero counts that stats is giving you. Is this the reason for the "incorrect" averages?

Yes. I guess that is the reason for the incorrect values. Any idea in how to resolve this? Or is it possible for to find averages for all the Groups together by any other way?

I am not sure what you are trying to resolve - do you want the average from stats (without the days with zeroes being included) or the average from timechart (with the days with zeroes being included)? (The answer is in the question! 😀)

I want to find the averages together with the days with zeroes being included..

Try this

| bucket _time span=1d
| chart dc(Task) as counts useother=f limit=0 by _time Group
| eventstats min(_time) as start
| eval bin=floor((_time-start)/(60*60*24))
| makecontinuous bin
| filldown start
| eval _time=start+(bin*60*60*24)
| fillnull value=0
| fields - bin start
| untable _time Group counts
| stats avg(counts) as AverageCountPerDay by Group

Hi @isoutamo , tried it but the result i am getting is same.. It does not consider the day in which there is no "Task".

Sorry my misunderstanding. Maybe this is what you are looking for

| bucket _time span=1d
| stats distinct_count(Task) as counts by _time Group
| makecontinuous _time span=1d
| eventstats values(Group) as grp
| eval Group=coalesce(Group, grp)
| fields - grp
| fillnull value=0 counts
| mvexpand Group
| stats avg(counts) as AverageCountPerDay by Group

Hi @isoutamo , still it is giving  different values.

For finding out the average separately i use the following query. This is finding out the average separately for the "Group".

|timechart span=1d distinct_count(Task) as Count| stats avg(Count) as Average

My data has different "Group", so i want to create a table for the Group and the averages. But the timechart is not working if used for the groups.

Why you don't use 

| timechart span=1d distinct_count(Task) as Count by Group
| stats avg(*) as Average_*
| foreach * 
    [ eval <<FIELD>> = round('<<FIELD>>', 2)]

 With my test data I get same results with this and my previous example. Please check that those field names are correct as I tested it with different events.

Hi , @isoutamo tried this and i am not able to produce the average for all the Groups. Also is there a way to put these values as Group and Average as columns in a table?