Solved: average for a field value per n number of events

zubairaizatron · ‎04-06-2020

How would i find the average value of a certain field per a certain amount of events

Example:
i have 1000 events and in there i have a specific numerical field. what would i do if i wanted an average of every 10 events and wanted to display them in a new table. so my new table will have 100 events now each entry filled with the average of 10 events

manjunathmeti · ‎04-06-2020

Try this,

index = INDEXNAME | streamstats count | eval count = count - 1, count = count - (count % 10) | stats avg(NUMERIC_FIELD) by count

View solution in original post

richgalloway · ‎04-06-2020

This run-anywhere example may help.

| makeresults | eval fielda = "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40" 
| eval fielda=split(fielda,",") 
| mvexpand fielda 
`comment("Everything above just creates sample data")`
| streamstats reset_after=(count==10) window=10 avg(fielda) count | where count=10 | fields - count

---
If this reply helps you, Karma would be appreciated.

manjunathmeti · ‎04-06-2020

Try this,

index = INDEXNAME | streamstats count | eval count = count - 1, count = count - (count % 10) | stats avg(NUMERIC_FIELD) by count

zubairaizatron · ‎04-06-2020

this generates a weird count value. its goes 0,10,100,1000,10000,10010,10020,10030, whereas what we looking for is a 10,20,30,40,50 in the count

manjunathmeti · ‎04-06-2020

Just sort count, you'll see expected values:

index = INDEXNAME | streamstats count | eval count = count - 1, count = count - (count % 10) | stats avg(NUMERIC_FIELD) by count | sort count

zubairaizatron · ‎04-07-2020

this works thanks man

average for a field value per n number of events

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk