https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289600#M165055 <P>Removed <CODE>\s</CODE> from <CODE>(?\s+\d+)</CODE> in the <CODE>rex</CODE> command. You need not use <CODE>| convert num(TIME)</CODE></P> <PRE><CODE>&lt;YourBaseSearch&gt; | rex field=_raw "appx\):\s+\d+\.\d+\s+(?&lt;TIME&gt;\d+)" | stats avg(TIME) </CODE></PRE> <P>Please try out and confirm.</P> Fri, 17 Nov 2017 19:14:44 GMT niketn 2017-11-17T19:14:44Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289599#M165054 <P>Assume the following records:</P> <PRE><CODE>Nov 17 19:24:51 x.x.x.x Nov 17 19:24:51 myserver (appx): 1510943091.801 520 192.168.0.5 CONNECT something else Nov 17 19:24:51 x.x.x.x Nov 17 19:24:51 myserver (appx): 1510943091.801 1040 192.168.0.5 CONNECT something else </CODE></PRE> <P>The above record is a modied squid log and i'd like to get the average response time, in this case it's the value of <STRONG>520 and 1040</STRONG></P> <P>My query:</P> <PRE><CODE> myserver | rex field=_raw "appx\):\s+\d+\.\d+\s+(?&lt;TIME&gt;\s+\d+)" | convert num(TIME) | stats avg(TIME) </CODE></PRE> <P>Somehow the avg aggregate returns nothing but using the min/max aggregate returns a value.<BR /> Whats wrong with the query?</P> <P>Thanks..</P> Fri, 17 Nov 2017 19:04:07 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289599#M165054 mkrauss1 2017-11-17T19:04:07Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289600#M165055 <P>Removed <CODE>\s</CODE> from <CODE>(?\s+\d+)</CODE> in the <CODE>rex</CODE> command. You need not use <CODE>| convert num(TIME)</CODE></P> <PRE><CODE>&lt;YourBaseSearch&gt; | rex field=_raw "appx\):\s+\d+\.\d+\s+(?&lt;TIME&gt;\d+)" | stats avg(TIME) </CODE></PRE> <P>Please try out and confirm.</P> Fri, 17 Nov 2017 19:14:44 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289600#M165055 niketn 2017-11-17T19:14:44Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289601#M165056 <P>Interesting lesson, that works for me, THANKS!</P> Fri, 17 Nov 2017 19:27:18 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289601#M165056 mkrauss1 2017-11-17T19:27:18Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289602#M165057 <P>@mkrauss1, you can use regex101.com for testing and creating regular expression for your sample events. It also has a quick reference of regular expression and gives you step by step information of each regular expression pattern match.</P> Fri, 17 Nov 2017 19:47:44 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289602#M165057 niketn 2017-11-17T19:47:44Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289603#M165058 <P>I never became a friend of regexbody but regex101.com looks very interesting. Thanks again!</P> Fri, 17 Nov 2017 19:52:19 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289603#M165058 mkrauss1 2017-11-17T19:52:19Z https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289604#M165059 <P>If you want to pick up on Regular Expressions you should see .conf 2017 presentation on "Beyond Regular Regular Expressions" by Cary Petterborg, our regex "guru" and Splunk Trust member.</P> <P><A href="http://conf.splunk.com/sessions/2017-sessions.html#search=Beyond%20REGULAR%20Regular%20Expressions&amp;">http://conf.splunk.com/sessions/2017-sessions.html#search=Beyond%20REGULAR%20Regular%20Expressions&amp;</A></P> Sat, 18 Nov 2017 05:09:22 GMT https://community.splunk.com/t5/Splunk-Search/Regular-expression-and-aggregate-the-result/m-p/289604#M165059 niketn 2017-11-18T05:09:22Z