https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539915#M152714 <P>awesome, it worked, thanks for ur help</P> Mon, 15 Feb 2021 11:06:46 GMT foysal0124 2021-02-15T11:06:46Z https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539873#M152698 <P>&nbsp;</P><P>I have an event value like this&nbsp;&nbsp;<SPAN class="t">2021-02-15</SPAN> <SPAN class="t">18:07:33</SPAN><SPAN>,</SPAN><SPAN class="t h">936, where the last value after comma(936) means the response time in ms. i tried to extract that value and want to average response time but it did not work.</SPAN></P><P><SPAN class="t h">how i can extract the value after comma from that field. i tried something like this&nbsp;</SPAN></P><P><SPAN class="t h">avg(mvindex(split(TimeStamp,","),-1)) as AverageResponse</SPAN></P><P><SPAN class="t h">TimeStamp=<SPAN class="t">2021-02-15</SPAN> <SPAN class="t">18:07:33</SPAN><SPAN>,</SPAN>936</SPAN></P><P>&nbsp;</P><P><SPAN class="t h">Best Regards</SPAN></P><P><SPAN class="t h">Foysal</SPAN></P> Mon, 15 Feb 2021 07:26:32 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539873#M152698 foysal0124 2021-02-15T07:26:32Z https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539875#M152700 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231529">@foysal0124</a>,</P><P>You use rex command like below;</P><LI-CODE lang="markup">| rex field=TimeStamp "\,(?&lt;AverageResponse&gt;\d+)"</LI-CODE> Mon, 15 Feb 2021 07:33:57 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539875#M152700 scelikok 2021-02-15T07:33:57Z https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539876#M152701 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231529">@foysal0124</a>,</P><P>you can extract the values between commas using a regex and then calculate average using the stats command, something like this:</P><LI-CODE lang="markup">Your_search | rex ",(?&lt;response_time&gt;\d+)," | stats avg(response_time) AS average</LI-CODE><P>if in your logs there's the possibility to have also other numbers between commas, you have to use a just a little more complex regex like this:</P><LI-CODE lang="markup">Your_search | rex "^\d+-\d+-\d+\s+\d+:\d+:\d+,(?&lt;response_time&gt;\d+)," | stats avg(response_time) AS average</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/q4VyFQ/1" target="_blank">https://regex101.com/r/q4VyFQ/1</A></P><P>Ciao.</P><P>Giuseppe</P> Mon, 15 Feb 2021 07:36:12 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539876#M152701 gcusello 2021-02-15T07:36:12Z https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539912#M152712 <P>awesome, it worked</P> Mon, 15 Feb 2021 11:05:01 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539912#M152712 foysal0124 2021-02-15T11:05:01Z https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539913#M152713 <P>awesome test tool, thanks</P> Mon, 15 Feb 2021 11:05:37 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539913#M152713 foysal0124 2021-02-15T11:05:37Z https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539915#M152714 <P>awesome, it worked, thanks for ur help</P> Mon, 15 Feb 2021 11:06:46 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search/m-p/539915#M152714 foysal0124 2021-02-15T11:06:46Z