topic Re: How to extract a numeric value from my field and create an average? in Splunk Search

How to extract a numeric value from my field and create an average?

UCOP — Wed, 18 May 2016 14:18:13 GMT

I have created a field extraction for the data I am looking for. The field looks as follows:

messages_read total/interval/max=11581602/2067/3143

This line in the messages is received approximately every 10 sec. I would like to be able to extract the 2067 which is the number of messages read in the last 10 sec and obtain an average of the messages read over a specified amount of time, i.e. an hour or 24 hours.

Re: How to extract a numeric value from my field and create an average?

sundareshr — Wed, 18 May 2016 16:25:20 GMT

Like this

.... | rex field=messages_read total/interval/max "\d+\/\(?<interval>d+)\/" | timechart span=1h avg(interval) AS avgInterval

You can adjust the span to s, m, h, d, w, mon etc.

Re: How to extract a numeric value from my field and create an average?

UCOP — Thu, 19 May 2016 15:01:06 GMT

Thank you for your quick response. I received the following error:

Error in 'rex' command: The regex 'total/interval/max' does not extract anything. It should specify at least one named group. Format: (?...).

The full search string is as follows:

index=* OR index=_* source="/zones/COP1/root/var/svc/log/application-ucop-topcop-pub:default.log" | rex field=messages_read total/interval/max "\d+\/\(?d+)\/" | timechart span=1h avg(interval) AS avgInterval

So I am sure I am doing something wrong.

Re: How to extract a numeric value from my field and create an average?

jkat54 — Thu, 19 May 2016 15:26:47 GMT

See if this works:

index= OR index=_ source="/zones/COP1/root/var/svc/log/application-ucop-topcop-pub:default.log" | rex "\d+\/(?<interval>\d+)\/"| timechart span=1h avg(interval) AS avgInterval

Re: How to extract a numeric value from my field and create an average?

sundareshr — Thu, 19 May 2016 15:32:28 GMT

I had the starting quote in the wrong place. Try this

.... | rex field=messages_read "total/interval/max=?\d+\/\(?<interval>d+)\/" | timechart span=1h avg(interval) AS avgInterval

.... | rex field=messages_read "?\d+\/\(?<interval>d+)\/" | timechart span=1h avg(interval) AS avgInterval

Re: How to extract a numeric value from my field and create an average?

somesoni2 — Thu, 19 May 2016 15:35:48 GMT

There is an additional slash in the answer. This should work fine.

Updated
Good catch by @jkat54

 .... | rex field=messages_read total/interval/max "\d+\/(?<interval>\d+)\/" | timechart span=1h avg(interval) AS avgInterval

Re: How to extract a numeric value from my field and create an average?

UCOP — Thu, 19 May 2016 16:12:10 GMT

Okay. It looks like it is getting closer.

I am using the following:

source="/zones/COP1/root/var/svc/log/application-ucop-topcop-pub:default.log" | rex field=messages_read "total/interval/max=?\d+\/(?d+)\/" | timechart span=1h avg(interval) AS avgInterval

On the Statistics tab there is a _time column and a avgInterval column, but there is nothing listed in the avgInterval column. Would I expect to see a number in that column, equating to an average of all the results for an hour?

Much appreciated!

Re: How to extract a numeric value from my field and create an average?

jkat54 — Thu, 19 May 2016 16:31:18 GMT

Need a slash in front of the d+ in the capture group and the field name isn't messages_read. The answer I gave should work fine.

Re: How to extract a numeric value from my field and create an average?

jkat54 — Thu, 19 May 2016 16:52:26 GMT

Now remove the field=messages_read and total/interval/max and it'll be a ok. I wouldn't have posted a new answer if sundareshr's answer didn't have so many mistakes. You'll see where I just offer corrections in comments when folks are close. Now however his updated answer has an extra ? too.