The avg aggregation in APL calculates the average value of a numeric field across a set of records. You can use this aggregation when you need to determine the mean value of numerical data, such as request durations, response times, or other performance metrics. It’s useful in scenarios such as performance analysis, trend identification, and general statistical analysis.
When to use avg:
- When you want to analyze the average of numeric values over a specific time range or set of data.
- For comparing trends, like average request duration or latency across HTTP requests.
- To provide insight into system or user performance, such as the average duration of transactions in a service.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, the avg function works similarly, but the syntax differs slightly. Here’s how to write the equivalent query in APL.
['sample-http-logs']
| summarize avg(req_duration_ms) by statusIn ANSI SQL, the avg aggregation is used similarly, but APL has a different syntax for structuring the query.
['sample-http-logs']
| summarize avg(req_duration_ms) by statusUsage
Syntax
summarize avg(ColumnName) [by GroupingColumn]Parameters
- ColumnName: The numeric field you want to calculate the average of.
- GroupingColumn (optional): A column to group the results by. If not specified, the average is calculated over all records.
Returns
- A table with the average value for the specified field, optionally grouped by another column.
Use case examples
This example calculates the average request duration for HTTP requests, grouped by status.
Query
['sample-http-logs']
| summarize avg(req_duration_ms) by statusOutput
| status | avg_req_duration_ms |
|---|---|
| 200 | 350.4 |
| 404 | 150.2 |
This query calculates the average request duration (in milliseconds) for each HTTP status code.
This example calculates the average span duration for each service to analyze performance across services.
Query
['otel-demo-traces']
| summarize avg(duration) by ['service.name']Output
| service.name | avg_duration |
|---|---|
| frontend | 500ms |
| cartservice | 250ms |
This query calculates the average duration of spans for each service.
In security logs, you can calculate the average request duration by country to analyze regional performance trends.
Query
['sample-http-logs']
| summarize avg(req_duration_ms) by ['geo.country']Output
| geo.country | avg_req_duration_ms |
|---|---|
| US | 400.5 |
| DE | 250.3 |
This query calculates the average request duration for each country from where the requests originated.
List of related aggregations
- sum: Use
sumto calculate the total of a numeric field. This is useful when you want the total of values rather than their average. - count: The
countfunction returns the total number of records. It’s useful when you want to count occurrences rather than averaging numerical values. - min: The
minfunction returns the minimum value of a numeric field. Use this when you’re interested in the smallest value in your dataset. - max: The
maxfunction returns the maximum value of a numeric field. This is useful for finding the largest value in the data. - stdev: This function calculates the standard deviation of a numeric field, providing insight into how spread out the data is around the mean.