0

I'm new to Splunk and i'm having trouble with the following line of code. I think what i'm trying to do is pretty self explanatory. Essentially the data i'm working with is one column and the values in the column are "0" or "1". Any help would be greatly appreciated. Thank you!

| stats sum(ACCESS_REVIEW_COMPLETE) \ count(ACCESS_REVIEW_COMPLETE)
Gary Dorman
  • 375
  • 1
  • 5
  • 16

1 Answers1

1

You can't do that with stats. If you want an average, try

| stats avg(ACCESS_REVIEW_COMPLETE).

For other calculations, separate commands are needed:

| stats sum(ACCESS_REVIEW_COMPLETE) as sum, count(ACCESS_REVIEW_COMPLETE) as count | eval calc=sum%count

RichG
  • 9,063
  • 2
  • 18
  • 29