@viggor - best practices are to always rename the field count , to avoid confusing yourself or splunk. Thus, count in a command always refers to the count being calculated in that current command, and it is never possible to average it or anything else. In this case, mycount is the count created in line 6 for a particular _time bucket.
If you change streamstats to window=120 , then you are averaging the last 120 non-zero buckets. Is that what you want?
The first 50 non-zero buckets can never have 50 non-zero buckets before them to average out. You do not HAVE to drop them... normally I would just start the job with earliest= far enough back that I could throw away the first 50 records and still have the range that I was actually looking for.
For instance, if I typically had about 75 nonzero buckets per hour, and if I wanted a 2 hour window, then I would start the window a little more than 40 minutes earlier than my window. (Probably 60 just to be sure.)
As long as you are doing that, then you don't really need to check for the 50. If you are checking against the average that happens to be only 45 events, the difference is not that critical. Just average the events starting at a duration before the desired range that you estimate should usually contain at least 50 nonzero buckets, and then after calculating averages, throw away all buckets before the desired range.
... View more