mvstats for Splunk

This app contains a custom command that can perform certain calculations on multi-value fields without resorting to mvexpand. This can be handy when you have several MV fields and the use of mvexpand might lose the relationships among them. The command can do sum, average, min, max, range (max - min), stdev, median, and mode. USAGE | mvstats {function} {mv-field} as {result-field} Where: function is one of: sum - add up the values in {mv-field} avg - compute the average of the values in {mv-field} min - return the lowest number in {mv-field} max - return the highest number in {mv-field} range - return the difference between the highest and lowest values stdev - compute the standard deviation of the values in {mv-field} median - return the middle value in {mv-field} mode - return the most common value in {mv-field} {mv-field} is a multi-value numeric field {result-field} is the name of a field to receive the results Notes: - If {mv-field} contains a non-numeric value then result-field is set to "NaN" - The mode function returns "NaN" if more than one value has the highest cardinality. - The mode function accepts non-numeric input. EXAMPLE: ... | stats values(dest_port) as dest_port, values(count) as count by app | mvstats sum count as total