Calculate Running Average of Field Values
Calculate a running average of values in a dataset using the accumulate() function
Query
head()
| accumulate(avg(value))Introduction
The accumulate() function can be used to calculate
running totals, averages, or other cumulative metrics over time or
across a series of events. The accumulate()
function applies an aggregation function cumulatively to a sequence of
events.
In this example, the accumulate() function is used
with the avg() function to calculate a running
average of the field value.
Note that the accumulate() function must be used
after an aggregator function, in this example the
head() function, to ensure event ordering.
Example incoming data might look like this:
| key | value |
|---|---|
| a | 5 |
| b | 6 |
| c | 1 |
| d | 2 |
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
head()Ensures that the events are ordered by time, selecting the oldest events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
| accumulate(avg(value))Computes the running average of all values, including the current one, using the
accumulate()function with theavg()aggregator. Event Result set.
Summary and Results
The query is used to calculate the running average of fields. The query calculates moving averages that change as new values arrive.
Sample output from the incoming example data:
| _avg | key | value |
|---|---|---|
| 5 | a | 5 |
| 5.5 | b | 6 |
| 4 | c | 1 |
| 3.5 | d | 2 |