https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30976#M6354 <P>I have a specific field that has similar values that I want to group together and obtain an average of another fields value. For example, if the field had the values Bob Sanders, Bob Baker, Sam Winters, and Sam Smith. Each one of these has a numeric value in another field. I would want to group the Bob's and Sam's together and get the average of the values of the numeric field for each.</P> <P>Like this<BR /> Bob, 20<BR /> Sam, 36 </P> <P>Anybody have idea's?</P> Thu, 19 Apr 2012 15:38:18 GMT jedatt01 2012-04-19T15:38:18Z https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30976#M6354 <P>I have a specific field that has similar values that I want to group together and obtain an average of another fields value. For example, if the field had the values Bob Sanders, Bob Baker, Sam Winters, and Sam Smith. Each one of these has a numeric value in another field. I would want to group the Bob's and Sam's together and get the average of the values of the numeric field for each.</P> <P>Like this<BR /> Bob, 20<BR /> Sam, 36 </P> <P>Anybody have idea's?</P> Thu, 19 Apr 2012 15:38:18 GMT https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30976#M6354 jedatt01 2012-04-19T15:38:18Z https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30977#M6355 <P>Assuming that the CSV looks like this:</P> <PRE><CODE>first,last,age Bob,Sanders,23 Sam,Johnson,36 Bob,Jackson,39 Sam,Conrad,21 </CODE></PRE> <P>The search would look like:</P> <PRE><CODE>first=Bob OR first=Sam | stats avg(age) by first </CODE></PRE> <P>The results would look like this:</P> <PRE><CODE>first avg(age) ------------------ Bob 31 Sam 28.5 </CODE></PRE> Thu, 19 Apr 2012 16:20:07 GMT https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30977#M6355 araitz 2012-04-19T16:20:07Z https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30978#M6356 <P>hey araitz, this is jdattilo. It's actually a little more complicated than I first explained. I'm using fictitious data here, but lets say that the data in first and last fields are actually one single field. Can I do a kind of field 'contains' or 'starts with' type of thing? I tried to use substring, which kind of worked but not all my fields entries are the same length so some letters got cut off.</P> Thu, 19 Apr 2012 17:52:06 GMT https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30978#M6356 jedatt01 2012-04-19T17:52:06Z https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30979#M6357 <P>The best approach would be to use a field extraction on the field. Conf files are best (using SOURCE_KEY in transforms.conf), but you can also try it in the search language. Let's assume that there is a name field that looks like "Bob Johnson":</P> <PRE><CODE>`name="Bob *" OR name="Sam *" | rex field=name "(?&lt;first_name&gt;\S+)" | stat avg(age) by first_name` </CODE></PRE> Thu, 19 Apr 2012 17:56:57 GMT https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30979#M6357 araitz 2012-04-19T17:56:57Z https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30980#M6358 <P>What you have is a multivalue field. To get to the values use the mvindex command.<BR /> mvindex(multifield, 2)</P> <P>First check if a field is multivalued:<BR /> mvcount(multifield)</P> <P>To get to the values In your case:<BR /> | eval name=mvindex(yourmultifield,0) | eval surname=mvindex(yourmultifield,1) | ...</P> <P>You can also split a field to get a multivalued field.<BR /> split(foo, ";")</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions</A></P> Thu, 19 Apr 2012 22:37:59 GMT https://community.splunk.com/t5/Splunk-Search/aggregating-field-values/m-p/30980#M6358 amstaff 2012-04-19T22:37:59Z