This query function is used to calculate the average for a field over a set of events. The result is returned in a field named _avg. You can use this field name to pipe the results to other query functions for further processing, as shown in the example below.

asstringfalse_avgThe optional name of the output field.
fieldstringtrue The field from which to extract a number and calculate the average. [a]

[a] When you provide only one parameter, the implied parameter is field


As an example of how you might use the avg() query function, suppose you have a repository with events that include receiving occasionally small files. Suppose further that you want to determine the average size of files received into the repository. To do this, you might use a query such as this:

source_type=file |
avg(field=responsesize) |
round(_avg, how=floor)

First, the query selects events in which the source_type has a value of file. The average of those values is determined using the avg() function. That number is piped to the round() function round down value — truncating the decimal value.

This query would return a result similar to what you see in Figure 270, “”:

Average Function Query Example

Figure 270. 

To present the result in a more pronounced way, the example in this screenshot is using the Gauge widget. This query and widget could be saved to an existing dashboard by clicking on Save As... in the top right.

Saving Average Function Query

Figure 271. Saving Average Function Query

For more information on saving a query and widget to a dashboard, see Managing Dashboard Widgets.