Hi,
I have some single string log statements looking like the following:
INFO ControllerNameHere f1d46561-b382-4685-9d7a-ebd76f40c355 EXT | <action> | Time 80
I want to make a query that groups the <action> types and then calculates the min, max and avg of the Time part of the string. So far i have had success with average:
index=my_index* host=hostName EXT | rex field=_raw "(EXT \| )(?<CategoryString>.+)( \| Time)" | rex field=_raw "(\| Time)(?<TimeValue>.+)" | stats mean(TimeValue) BY CategoryString
which returns the mean value of all entries. The data foundation of the query looks like:
All is grouped by 4 actions per one request, meaning that the first action: has the following values: 80, 45, 71, 63, 458.
When i then run the above query i get a correct result with mean:
But when switching to e.g. max, i get a maximum value of 80. which seems wrong, however it corresponds to the latest value. What am i missing here?
I forgot to add a space after my Time in the query:
| rex field=_raw "(EXT \| )(?<CategoryString>.+)( \| Time)" | rex field=_raw "(\| Time )(?<TimeValue>.+)" | stats count, mean(TimeValue) as Average BY CategoryString | table CategoryString count Average
I assume the value was then read as a string instead of a number.
I'm not sure but I wouldn't be surprised if mean() did some implicit casting to a numeric value while max() treated the field as text (thus max value in the lexicographic order would indeed be "80"). Try casting it to a number field by
| eval TimeValue=tonumber(TimeValue)
and then doing your stats
I forgot to add a space after my Time in the query:
| rex field=_raw "(EXT \| )(?<CategoryString>.+)( \| Time)" | rex field=_raw "(\| Time )(?<TimeValue>.+)" | stats count, mean(TimeValue) as Average BY CategoryString | table CategoryString count Average
I assume the value was then read as a string instead of a number.