I have a list of values in Splunk. I can use this list to calcualte avg(vals) and stdev(vals). How do I calculate the mean deviation.
The mean deviation is the average absolute difference between the mean and each value in the list.
(Sum_x |mean-x|) / N
The following SPL can be used to calculate the mean deviation of all values.
| eventstats mean(value) as mean | eval distance=abs(mean-value) | stats avg(distance) as mean_deviation
For example, this will generate 10 random values and then calculate the mean deviation.
| makeresults count=10 | eval value=random()%10 | eventstats mean(value) as mean | eval distance=abs(mean-value) | stats avg(distance) as mean_deviation
eventstats is used to calculate the mean all the values, and add this new field to each event. Then, eval disatnace is used to calculate the absolute distance away each value is from the mean. The final stats is just used to determine the average of this value.
Look here for documentation around eventstats https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Eventstats , and a good blog post around the differences between stats, eventstats and streamstats can be found at https://www.splunk.com/en_us/blog/tips-and-tricks/search-command-stats-eventstats-and-streamstats-2.html
