https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453218#M128283 <P>Hello, I am trying to perform calculations on multiple fields. </P> <P>I am working with data in the format of Key='value1,value2,value3,value4' which can contain anywhere from 1 to 4 values. </P> <P><STRONG>Input:</STRONG> <BR /> height='32,12,14,13' or width='32' <BR /> as well as variance='3.24e-2,4.23e+3,1.12e-4,1.01e-3'</P> <P><STRONG>Query:</STRONG><BR /> `<BR /> index=myindex sourcetype=mysourcetype<BR /> | transaction source <BR /> | foreach *<BR /> [eval &lt;&gt;=if(match('&lt;&gt;', "[\d.,e+-]+"), '&lt;&gt;', '') <BR /> | eval total=0 | eval count=1<BR /> | eval &lt;&gt;=replace(&lt;&gt;,"\'","")<BR /> | makemv delim="," '&lt;&gt;' <BR /> | mvexpand '&lt;&gt;' <BR /> | foreach &lt;&gt;<BR /> [eval total_&lt;<FIELD>&gt;=total + &lt;<FIELD>&gt;<BR /> | eval count=count + 1]<BR /> | eval avg_&lt;&gt;=&lt;&gt;/count]<BR /> | table *, total, count<BR /> | transpose include_empty=false 10</FIELD></FIELD></P> <P>`</P> <P><STRONG>Expected Output:</STRONG><BR /> height=17.75<BR /> width=32<BR /> variance=1.0575e+3</P> <P><STRONG>Actual Output:</STRONG><BR /> height=032,12,14,13, width=32<BR /> variance=03.24e-2,4.23e+3,1.12e-4,1.01e-3</P> <P>Thank you in advance for any help provided! </P> Tue, 29 Sep 2020 23:47:26 GMT ztayluh 2020-09-29T23:47:26Z https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453218#M128283 <P>Hello, I am trying to perform calculations on multiple fields. </P> <P>I am working with data in the format of Key='value1,value2,value3,value4' which can contain anywhere from 1 to 4 values. </P> <P><STRONG>Input:</STRONG> <BR /> height='32,12,14,13' or width='32' <BR /> as well as variance='3.24e-2,4.23e+3,1.12e-4,1.01e-3'</P> <P><STRONG>Query:</STRONG><BR /> `<BR /> index=myindex sourcetype=mysourcetype<BR /> | transaction source <BR /> | foreach *<BR /> [eval &lt;&gt;=if(match('&lt;&gt;', "[\d.,e+-]+"), '&lt;&gt;', '') <BR /> | eval total=0 | eval count=1<BR /> | eval &lt;&gt;=replace(&lt;&gt;,"\'","")<BR /> | makemv delim="," '&lt;&gt;' <BR /> | mvexpand '&lt;&gt;' <BR /> | foreach &lt;&gt;<BR /> [eval total_&lt;<FIELD>&gt;=total + &lt;<FIELD>&gt;<BR /> | eval count=count + 1]<BR /> | eval avg_&lt;&gt;=&lt;&gt;/count]<BR /> | table *, total, count<BR /> | transpose include_empty=false 10</FIELD></FIELD></P> <P>`</P> <P><STRONG>Expected Output:</STRONG><BR /> height=17.75<BR /> width=32<BR /> variance=1.0575e+3</P> <P><STRONG>Actual Output:</STRONG><BR /> height=032,12,14,13, width=32<BR /> variance=03.24e-2,4.23e+3,1.12e-4,1.01e-3</P> <P>Thank you in advance for any help provided! </P> Tue, 29 Sep 2020 23:47:26 GMT https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453218#M128283 ztayluh 2020-09-29T23:47:26Z https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453219#M128284 <P>can you share sample events and desired results?</P> Fri, 22 Mar 2019 18:31:48 GMT https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453219#M128284 adonio 2019-03-22T18:31:48Z https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453220#M128285 <P>Hi Adonio, here is an example event. </P> <PRE><CODE>21-Mar-19 05:10:46 total_Height_mm='66,41,29,28' </CODE></PRE> <P>Each event has a different multi-value pair.<BR /> There are ~150+ events per source</P> <P>Thank you!</P> Fri, 22 Mar 2019 19:01:23 GMT https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453220#M128285 ztayluh 2019-03-22T19:01:23Z https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453221#M128286 <P>I am still puzzled as to what is the desired output ...<BR /> can you share at least 10 events and the desired output from search?</P> Sat, 23 Mar 2019 21:30:19 GMT https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453221#M128286 adonio 2019-03-23T21:30:19Z https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453222#M128287 <P>I apologize, hopefully this will be clearer</P> <P>If I had an event like this:<BR /> <CODE>21-Mar-19 05:10:46 <BR /> total_Height_mm='66,41,29,28'</CODE></P> <P><STRONG>I would expect to get:</STRONG><BR /> avg_total_Height_mm=(66 + 41 + 29 + 28)/4 = 41</P> <P>Here are some additional events and their desired output:</P> <P><CODE>21-Mar-19 05:10:46 <BR /> total_Pressure_psi='16.16,16.16,16.16,16.16'</CODE></P> <P><STRONG>Output:</STRONG><BR /> avg_total_Pressure_psi = 16.16</P> <P><CODE>21-Mar-19 05:10:46 <BR /> total_Pressure_kpa='3.2405e+2,3.8095e+2,3.4152e+2,3.9155e+2'</CODE></P> <P><STRONG>Output:</STRONG><BR /> avg_total_Pressure_kpa=3.595175e+2 </P> <P>Thank you.</P> Tue, 29 Sep 2020 23:52:06 GMT https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453222#M128287 ztayluh 2020-09-29T23:52:06Z https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453223#M128288 <P>hope i understood your question, try this out.<BR /> also, plenty will depend on how the data is indexed and the fields you extract</P> <PRE><CODE>| makeresults count=1 | eval data = "21-Mar-19 05:10:46 total_Height_mm='66,41,29,28';;;21-Mar-19 05:10:46 total_Pressure_psi='16.16,16.16,16.16,16.16';;;21-Mar-19 05:10:46 total_Pressure_kpa='3.2405e+2,3.8095e+2,3.4152e+2,3.9155e+2'" | makemv delim=";;;" data | mvexpand data | rex field=data "(?&lt;time&gt;\S+\s\S+)\s(?&lt;fields&gt;[^\=]+)\=\'(?&lt;values&gt;[^\']+)" | makemv delim="," values | mvexpand values | stats avg(values) as avg_value by fields </CODE></PRE> Tue, 26 Mar 2019 13:23:27 GMT https://community.splunk.com/t5/Splunk-Search/Performing-calculations-on-multi-valued-fields/m-p/453223#M128288 adonio 2019-03-26T13:23:27Z