avgif

Owned by Haim Koschitzky
Jun 07, 2016
1 min read

Synopsis

Calculates the average of the values in a specified column of the search query results based on a query to be executed on the record.

Syntax

avgif [column_name] “[search_query]”

Required Arguments

column_name

Syntax: <character string>

Description: The name of a column header that has numeric values

search_query

Syntax: <character string>

Description: The search query to be executed on the record

Optional Arguments

None

Description

For each event in the search query results that has the specified column_name with a numeric value, adds the value to the cumulative sum, and when it has reached the last event, divides the cumulative sum by the number of events to get the average.

Examples

Example 1:  

* in log.access | avgif Bytes Sent "status=200"

From the events in access log, returns the average of the values in column Bytes Sent only if the value of column status is 200.

Example 2:  

From the events in log.iss log that contain http in their cs-host column, returns the average of the values in column time-taken, grouped according to the value of the sc-status column.