Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create total average/median/max of field in a separate table?

LearningGuy
Motivator
‎10-23-2023 07:06 AM


How to create total average/median/max of field in a separate table?
Thank you in advance

| index=testindex
| table company, ip, Vulnerability, Score

companyipVulnerabilityScore
CompanyAip1Vuln12
CompanyAip1Vuln20
CompanyAip2Vuln34
CompanyAip2Vuln42
CompanyAip3Vuln53
CompanyAip3Vuln65


Group by IP  => This worked just fine
| stats values(company), avg(Score) as AvgScore by ip

companyipAvgScore
CompanyAip11
CompanyAip23
CompanyAip34


Group by Company   =>  how do I group by company after group by ip (using stats) and put it on a separate table?
| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company

CompanyAverageMedianMax
CompanyA2.734
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 08:03 AM

A separate table requires a separate search.

If this is in a dashboard then consider making the first table a base search and the second table a post-processing of the first.  That will save you time and resources when the dashboard runs.

...
<search id="base"> <!-- "base" can be any string -->
  <query>| index=testindex
| table company, ip, Vulnerability, Score
| stats values(company), avg(Score) as AvgScore by ip</query>
...
</search>
...
<search base="base"> <!-- Use the same string as above -->
<query>| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company</query>
</search>
...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

LearningGuy
Motivator
‎10-23-2023 11:26 AM

Hello,
I tried your suggestion and it worked fine. I am accepting this as a solution
Can you also suggest how to put the average, median and max on the bottom of the table?
Thank you again
Below is the example:  

companyipAvgScore
CompanyAip11
CompanyAip23
CompanyAip34
 Average2.7
 Median3
 Max4




0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 12:41 PM

I think you can do that with the appendpipe command, which processes the current results and adds new results to bottom.

 

| stats values(company), avg(Score) as AvgScore by ip
| appendpipe [ stats avg(AvgScore) as Average, median(AvgScore) as Median, max(AvgScore) as Max by company ]

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

LearningGuy
Motivator
‎10-23-2023 05:11 PM

Hello,

I tried the command you suggested and it did not show any effects
Please suggest.

Thanks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 05:24 PM

I used the wrong case in the field name.  Try my edited answer.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

LearningGuy
Motivator
‎10-23-2023 06:31 PM

Hello,
There would be no difference because I converted your suggestion to my real data, so I already fixed any details
Please suggest.

Thanks,

Marius

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 08:03 AM

A separate table requires a separate search.

If this is in a dashboard then consider making the first table a base search and the second table a post-processing of the first.  That will save you time and resources when the dashboard runs.

...
<search id="base"> <!-- "base" can be any string -->
  <query>| index=testindex
| table company, ip, Vulnerability, Score
| stats values(company), avg(Score) as AvgScore by ip</query>
...
</search>
...
<search base="base"> <!-- Use the same string as above -->
<query>| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company</query>
</search>
...
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...