Re: How to create a search that finds the average ...

kishan2356 · ‎04-05-2022

I have an search where I need to find the average of the last three bins. Example: On my time filter I select an range of 10:00 - 10:30. I need to find the average of ONLY the first three bins 581, 698, and 247. How can I create a search that does this?

On this dashboard I use an time picker so the search would need to be dynamic, as there would be new time inputs.

_time	Count
10:00	581
10:05	698
10:10	247
10:15	987
10:20	365
10:30	875

bowesmana · ‎04-05-2022

How do you want to display that, as a single value somewhere or in the same table as your example. There are several ways to calculate that. Note that you mention both first and last - but imply earliest in your numbers.

Note that you can always make a base search if you have data in one dashboard panel that is used by another and add whatever you need to a post processing search for the average.

If you simply want the average of the 3 as a value somewhere, take the last two lines of this.

| makeresults
| eval _raw="_time	Count
10:00	581
10:05	698
10:10	247
10:15	987
10:20	365
10:30	875"
| multikv forceheader=1
| eval _time=strptime(time, "%H:%M")
| table _time Count
| head 3
| stats avg(Count) as Count

or as a rolling average of the 3 bins, use this instead of the last two lines above

| streamstats window=3 avg(Count) as AvgCount

If that doesn't help, please clarify how you want to use this value

How to create a search that finds the average of the last three bins?

count

stats

subsearch

timechart

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!