Solved: Stats count and average

rhinomike · ‎01-23-2015

I have a log that more or less looks like:

 timestamp=1422006650  [email protected] [email protected] subject="I love you honey" score=100 
 timestamp=1422007650    [email protected] [email protected] subject="I love you honey" score=100 
 timestamp=1422008650    [email protected] [email protected] subject="I loved him first" score=100
 timestamp=1422009650    [email protected] [email protected] subject="I loved you first" score=50
 timestamp=1422009750    [email protected] [email protected] subject="I loved him  first" score=10

I am now trying to perform a stats like

from                    subject                 count_to    avg_score
[email protected]          I love you honey       2       100
[email protected]          I loved you first      1       50
[email protected]          I loved him first      2       55

If I'm not mistaken, I can use:

stats count by from,to, subject to build the four first columns, however it is not clear to me how to calculate the average for a particular set of values in accordance with the first round of stats.

Is it possible?

aweitzman · ‎01-23-2015

This should work:

... | stats count as count_to avg(score) as avg_score by from subject

View solution in original post

aweitzman · ‎01-23-2015

This should work:

... | stats count as count_to avg(score) as avg_score by from subject

rhinomike · ‎03-01-2015

Solved it perfectly. Thanks

Stats count and average

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Join the Conversation