Reputation: 160
Calculate mean deviation with Splunk
I have a list of values in Splunk. I can use this list to calcualte avg(vals) and stdev(vals). How do I calculate the mean deviation.
The mean deviation is the average absolute difference between the mean and each value in the list.
(Sum_x |mean-x|) / N
Upvotes: 0
Views: 1092
Answers (1)
Reputation: 2651
The following SPL can be used to calculate the mean deviation of all values.
| eventstats mean(value) as mean | eval distance=abs(mean-value) | stats avg(distance) as mean_deviation
For example, this will generate 10 random values and then calculate the mean deviation.
| makeresults count=10 | eval value=random()%10 | eventstats mean(value) as mean | eval distance=abs(mean-value) | stats avg(distance) as mean_deviation
eventstats is used to calculate the mean all the values, and add this new field to each event. Then, eval disatnace is used to calculate the absolute distance away each value is from the mean. The final stats is just used to determine the average of this value.
Look here for documentation around eventstats https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Eventstats , and a good blog post around the differences between stats, eventstats and streamstats can be found at https://www.splunk.com/en_us/blog/tips-and-tricks/search-command-stats-eventstats-and-streamstats-2.html
Upvotes: 1
Related Questions
- Splunk Summary Indexes - why does sistats not work like stats?
- Splunk getting average TPS for each service
- Data Analysis in Splunk
- How to extract a value from fields when using stats()
- Compute average and standard deviation with awk
- How to merge two stats by in Splunk?
- Calculating event throughput in splunk
- Sum of count with Splunk
- Trying To Peform Mathmetical Calculations Based off One Column
- Splunk Query - Compute stats by removing duplicates and custom query