https://community.splunk.com/t5/Splunk-Search/Show-averages-for-three-different-types-of-results/m-p/102512#M26497 <P>Hi, have not idea how your base search looks or your raw data, but I would use rex or regex in my search. I am also assuming CitrixServer is a valid field. </P> <P>I am assuming the following: OAIMFEPV94 - base_servername=OAIMFE, server_type=PV, server_instance=94</P> <P><CODE></CODE><PRE><CODE><BR /> ...| rex field=CitrixServer "(?i)oaimfe(?&lt;server_type&gt;\w+)\d\d$" | stats sum(TotalStartupTime) by server_type<BR /> </CODE></PRE></P> <P>You can further enrich the data by using a case statment or lookup table. Also read Splunk SPL Cook book which is available for download.</P> <P>Hope this helps or gets you started. Don't forget to accept and vote answers that help.</P> Mon, 22 Jul 2013 18:02:16 GMT bmacias84 2013-07-22T18:02:16Z https://community.splunk.com/t5/Splunk-Search/Show-averages-for-three-different-types-of-results/m-p/102511#M26496 <P>I need to show the difference between three different types of servers for example.</P> <P>CitrixServer TotalStartupTime<BR /> OAIMFEP06 15.609 <BR /> OAIMFEPV94 27.876 <BR /> OAIMFEPT07 17446.984</P> <P>Virtual servers have 'v' in the name, test servers have 't' in the name and physical servers have neither T or V in the name.</P> <P>I would like to show the average TotalStartupTime for each type of server. </P> <P>Thank you SplunkBase!</P> <PRE><CODE>CitrixServer TotalStartupTime </CODE></PRE> <P>1 OAIMFEPV94 27.876<BR /> 2 OAIMFEPV89 20.095<BR /> 3 OAIMFEPV13 36.08<BR /> 4 oaimfep03 51.654<BR /> 5 OAIMFEP22 779.027<BR /> 6 OAIMFEP02 52.532<BR /> 7 OAIMFEPV83 67.69<BR /> 8 OAIMFEPV80 15.25<BR /> 9 OAIMFEPV40 98.207<BR /> 10 OAIMFEP06 15.609</P> Mon, 22 Jul 2013 12:51:23 GMT https://community.splunk.com/t5/Splunk-Search/Show-averages-for-three-different-types-of-results/m-p/102511#M26496 bigtyma 2013-07-22T12:51:23Z https://community.splunk.com/t5/Splunk-Search/Show-averages-for-three-different-types-of-results/m-p/102512#M26497 <P>Hi, have not idea how your base search looks or your raw data, but I would use rex or regex in my search. I am also assuming CitrixServer is a valid field. </P> <P>I am assuming the following: OAIMFEPV94 - base_servername=OAIMFE, server_type=PV, server_instance=94</P> <P><CODE></CODE><PRE><CODE><BR /> ...| rex field=CitrixServer "(?i)oaimfe(?&lt;server_type&gt;\w+)\d\d$" | stats sum(TotalStartupTime) by server_type<BR /> </CODE></PRE></P> <P>You can further enrich the data by using a case statment or lookup table. Also read Splunk SPL Cook book which is available for download.</P> <P>Hope this helps or gets you started. Don't forget to accept and vote answers that help.</P> Mon, 22 Jul 2013 18:02:16 GMT https://community.splunk.com/t5/Splunk-Search/Show-averages-for-three-different-types-of-results/m-p/102512#M26497 bmacias84 2013-07-22T18:02:16Z https://community.splunk.com/t5/Splunk-Search/Show-averages-for-three-different-types-of-results/m-p/102513#M26498 <P>Nice!</P> <P>Thank you!</P> Tue, 23 Jul 2013 20:31:33 GMT https://community.splunk.com/t5/Splunk-Search/Show-averages-for-three-different-types-of-results/m-p/102513#M26498 bigtyma 2013-07-23T20:31:33Z https://community.splunk.com/t5/Splunk-Search/Show-averages-for-three-different-types-of-results/m-p/102514#M26499 <P>If this help dont forget to accept by clicking the the check mark. Cheers</P> Tue, 23 Jul 2013 20:45:43 GMT https://community.splunk.com/t5/Splunk-Search/Show-averages-for-three-different-types-of-results/m-p/102514#M26499 bmacias84 2013-07-23T20:45:43Z