topic From the following log data, how do I create a table that includes the average response time? in Splunk Search

From the following log data, how do I create a table that includes the average response time?

pvrk007 — Thu, 13 Dec 2018 17:16:05 GMT

My log Data is in this format:

response="{"status":"success","Registries":[{"create":"2018-08-28","last":null,"Story":null}]}" response_Time="4"

When i try to create a table with response and response time, I get { for response and response time as blank

When i try to get the average of response time, i get nothing.

Can anyone help me with queries to get full JSON data in table and average response time.

Re: From the following log data, how do I create a table that includes the average response time?

macadminrohit — Fri, 14 Dec 2018 05:18:17 GMT

Do you need average response time by a field in the events or average of all response times in entire data set ? because if you ultimately require table of raw data(json) and average response time then it should be by some field in your events.

You can do like this :

your base search | rex "response_Time\=\"(?<response_time>\d+)\"" | table _raw response_time | eventstats avg(response_time) as average

You can add any field after the by clause. Let me know if it works, i can help further.