Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create total average/median/max of field in a separate table?

LearningGuy
Builder
‎10-23-2023 07:06 AM


How to create total average/median/max of field in a separate table?
Thank you in advance

| index=testindex
| table company, ip, Vulnerability, Score

companyipVulnerabilityScore
CompanyAip1Vuln12
CompanyAip1Vuln20
CompanyAip2Vuln34
CompanyAip2Vuln42
CompanyAip3Vuln53
CompanyAip3Vuln65


Group by IP  => This worked just fine
| stats values(company), avg(Score) as AvgScore by ip

companyipAvgScore
CompanyAip11
CompanyAip23
CompanyAip34


Group by Company   =>  how do I group by company after group by ip (using stats) and put it on a separate table?
| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company

CompanyAverageMedianMax
CompanyA2.734
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 08:03 AM

A separate table requires a separate search.

If this is in a dashboard then consider making the first table a base search and the second table a post-processing of the first.  That will save you time and resources when the dashboard runs.

...
<search id="base"> <!-- "base" can be any string -->
  <query>| index=testindex
| table company, ip, Vulnerability, Score
| stats values(company), avg(Score) as AvgScore by ip</query>
...
</search>
...
<search base="base"> <!-- Use the same string as above -->
<query>| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company</query>
</search>
...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

LearningGuy
Builder
‎10-23-2023 11:26 AM

Hello,
I tried your suggestion and it worked fine. I am accepting this as a solution
Can you also suggest how to put the average, median and max on the bottom of the table?
Thank you again
Below is the example:  

companyipAvgScore
CompanyAip11
CompanyAip23
CompanyAip34
 Average2.7
 Median3
 Max4




0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 12:41 PM

I think you can do that with the appendpipe command, which processes the current results and adds new results to bottom.

 

| stats values(company), avg(Score) as AvgScore by ip
| appendpipe [ stats avg(AvgScore) as Average, median(AvgScore) as Median, max(AvgScore) as Max by company ]

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

LearningGuy
Builder
‎10-23-2023 05:11 PM

Hello,

I tried the command you suggested and it did not show any effects
Please suggest.

Thanks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 05:24 PM

I used the wrong case in the field name.  Try my edited answer.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

LearningGuy
Builder
‎10-23-2023 06:31 PM

Hello,
There would be no difference because I converted your suggestion to my real data, so I already fixed any details
Please suggest.

Thanks,

Marius

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 08:03 AM

A separate table requires a separate search.

If this is in a dashboard then consider making the first table a base search and the second table a post-processing of the first.  That will save you time and resources when the dashboard runs.

...
<search id="base"> <!-- "base" can be any string -->
  <query>| index=testindex
| table company, ip, Vulnerability, Score
| stats values(company), avg(Score) as AvgScore by ip</query>
...
</search>
...
<search base="base"> <!-- Use the same string as above -->
<query>| stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company</query>
</search>
...
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...