topic Re: How to calculate average of value pairs within a field in Splunk Search

How to calculate average of value pairs within a field

maalvare — Tue, 29 Sep 2020 07:25:07 GMT

I need to extract value pairs from a field (string=integer) and then calculate the average of each of the strings.

The field in question looks like this
… [T=76ms,Rquest1=1, Request2=70, Request3=100, Request10=7]
… [T=134ms,Rquest1=11, Request7=700, Request8=1]

The query I am using looks something like this

<filters such as earliest=-1m> | makemv tokenizer="(.+?)(?=,|$),?" views   | rex field=filtered_views "(?<int_call>.*)=(?<int_time>.*)" | table T, int_call, int_time

That gives me the output on the attached image

I want the average of Rquest1, Request2, Request3, etc.

The content comes from an app server log and the strings are calls to inner processes that happen for a particular request. That means that the strings can vary and there is not a comprehensive, stable list of values I can use to match as suggested on Question 6966 or Question 45993

Note that I can remove T to simplify the request, but the values on int_call and int_time will remain as groups, not as individual fields
Thank you in advance. This is eating my brain out.

Re: How to calculate average of value pairs within a field

lpolo — Tue, 29 Sep 2015 15:10:40 GMT

try this:

your query |mvexpand init_time|stats avg(init_time) by T

Thanks,
Lp

Re: How to calculate average of value pairs within a field

somesoni2 — Tue, 29 Sep 2015 15:26:00 GMT

Try something like this (lines before extract is just get a dataset with your sample data, replace it with your base search)

| gentimes start=-1 | eval temp="… [T=76ms,Request1=1, Request2=70, Request3=100, Request10=7]#… [T=134ms,Request1=11, Request7=700, Request8=1]" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw
| extract kvdelim="=:" pairdelim=",]" | stats avg(Request*) as Request*

Re: How to calculate average of value pairs within a field

maalvare — Wed, 30 Sep 2015 12:37:39 GMT

Thank you for the answers.

@Ipolo answer was very close to what I needed. I simply added by int_call as

<filters such as earliest=-1m> | makemv tokenizer="(.+?)(?=,|$),?" views   | rex field=filtered_views "(?<int_call>.*)=(?<int_time>.*)" | mvexpand init_time|stats avg(int_time) by int_call

@somesoni2 Your query is very interesting and I would like to play more with t. However, it seems I would have to know the fields to populate tepm, isn't? or I just simply paste my filtered_views in there? I could not get it to work so I wanted to clarify