Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create total average/median/max of field in a separate table?

LearningGuy
Motivator
‎10-23-2023 07:06 AM


How to create total average/median/max of field in a separate table?
Thank you in advance

| index=testindex
| table company, ip, Vulnerability, Score

companyipVulnerabilityScore
CompanyAip1Vuln12
CompanyAip1Vuln20
CompanyAip2Vuln34
CompanyAip2Vuln42
CompanyAip3Vuln53
CompanyAip3Vuln65


Group by IP  => This worked just fine
| stats values(company), avg(Score) as AvgScore by ip

companyipAvgScore
CompanyAip11
CompanyAip23
CompanyAip34


Group by Company   =>  how do I group by company after group by ip (using stats) and put it on a separate table?
| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company

CompanyAverageMedianMax
CompanyA2.734
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 08:03 AM

A separate table requires a separate search.

If this is in a dashboard then consider making the first table a base search and the second table a post-processing of the first.  That will save you time and resources when the dashboard runs.

...
<search id="base"> <!-- "base" can be any string -->
  <query>| index=testindex
| table company, ip, Vulnerability, Score
| stats values(company), avg(Score) as AvgScore by ip</query>
...
</search>
...
<search base="base"> <!-- Use the same string as above -->
<query>| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company</query>
</search>
...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

LearningGuy
Motivator
‎10-23-2023 11:26 AM

Hello,
I tried your suggestion and it worked fine. I am accepting this as a solution
Can you also suggest how to put the average, median and max on the bottom of the table?
Thank you again
Below is the example:  

companyipAvgScore
CompanyAip11
CompanyAip23
CompanyAip34
 Average2.7
 Median3
 Max4




0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 12:41 PM

I think you can do that with the appendpipe command, which processes the current results and adds new results to bottom.

 

| stats values(company), avg(Score) as AvgScore by ip
| appendpipe [ stats avg(AvgScore) as Average, median(AvgScore) as Median, max(AvgScore) as Max by company ]

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

LearningGuy
Motivator
‎10-23-2023 05:11 PM

Hello,

I tried the command you suggested and it did not show any effects
Please suggest.

Thanks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 05:24 PM

I used the wrong case in the field name.  Try my edited answer.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

LearningGuy
Motivator
‎10-23-2023 06:31 PM

Hello,
There would be no difference because I converted your suggestion to my real data, so I already fixed any details
Please suggest.

Thanks,

Marius

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 08:03 AM

A separate table requires a separate search.

If this is in a dashboard then consider making the first table a base search and the second table a post-processing of the first.  That will save you time and resources when the dashboard runs.

...
<search id="base"> <!-- "base" can be any string -->
  <query>| index=testindex
| table company, ip, Vulnerability, Score
| stats values(company), avg(Score) as AvgScore by ip</query>
...
</search>
...
<search base="base"> <!-- Use the same string as above -->
<query>| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company</query>
</search>
...
---
If this reply helps you, Karma would be appreciated.
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...