topic Re: Raw data into calculation. in Splunk Search

Raw data into calculation.

axl88 — Wed, 05 Feb 2014 19:59:07 GMT

Timestamp: 1/21/2014 9:40:08 Number of records : 1 Total Size of the records : 1481

Timestamp: 1/21/2014 3:22:06 Number of records : 6 Total Size of the records : 13032

Timestamp: 1/22/2014 7:12:41 Number of records : 1 Total Size of the records : 2573

Above is a sample from my data after I listed the indexes I need. I need to find daily averages of the both columns. I felt the problem is ":" that I need equal sign instead. I accept the fact that this probably a real newbie on question, thanks for your time.

Re: Raw data into calculation.

martin_mueller — Wed, 05 Feb 2014 20:14:26 GMT

First you'll need to extract the two numbers into fields: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutfields
Second you'll need to send those fields into a timechart, something like this:

your query producing fields foo and bar | timechart span=1d avg(foo) as foo_average avg(bar) as bar_average

See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart for reference.

Re: Raw data into calculation.

kristian_kolb — Wed, 05 Feb 2014 21:10:50 GMT

The easiest way to try this out is to do it via rex, which extracts these field for the duration of the search. I.e. the configuration is not stored in any config file:

your search for events | rex "Number\sof\records\s+:\s+(?<rec_num>\d+)\s+Total Size of records\s+:\s+(?<rec_size>\d+) | timechart span=1d avg(rec_num) avg(rec_size)

Re: Raw data into calculation.

axl88 — Thu, 06 Feb 2014 21:53:20 GMT

Thanks for the answer. With little modification, it worked fine for me. IFX tool was really helpful on making these modifications.