Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: average for a field value per n number of even...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zubairaizatron
Explorer
04-06-2020
06:34 AM
How would i find the average value of a certain field per a certain amount of events
Example:
i have 1000 events and in there i have a specific numerical field. what would i do if i wanted an average of every 10 events and wanted to display them in a new table. so my new table will have 100 events now each entry filled with the average of 10 events
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
04-06-2020
07:36 AM
Try this,
index = INDEXNAME | streamstats count | eval count = count - 1, count = count - (count % 10) | stats avg(NUMERIC_FIELD) by count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
04-06-2020
07:44 AM
This run-anywhere example may help.
| makeresults | eval fielda = "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40"
| eval fielda=split(fielda,",")
| mvexpand fielda
`comment("Everything above just creates sample data")`
| streamstats reset_after=(count==10) window=10 avg(fielda) count | where count=10 | fields - count
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
04-06-2020
07:36 AM
Try this,
index = INDEXNAME | streamstats count | eval count = count - 1, count = count - (count % 10) | stats avg(NUMERIC_FIELD) by count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zubairaizatron
Explorer
04-06-2020
08:16 AM
this generates a weird count value. its goes 0,10,100,1000,10000,10010,10020,10030, whereas what we looking for is a 10,20,30,40,50 in the count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
04-06-2020
11:29 AM
Just sort count, you'll see expected values:
index = INDEXNAME | streamstats count | eval count = count - 1, count = count - (count % 10) | stats avg(NUMERIC_FIELD) by count | sort count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zubairaizatron
Explorer
04-07-2020
02:10 AM
this works thanks man
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Secure Your Future: Mastering Upgrade Readiness for Splunk 10
Spotlight: The Splunk Health Assistant Add-On
The Splunk Health Assistant Add-On is your ultimate companion ...
Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM
Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...
