Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Min , Max functions not returning expected in search

LNS
Engager
‎10-22-2021 01:07 AM

Hi,

I have some single string log statements looking like the following:

 

INFO ControllerNameHere f1d46561-b382-4685-9d7a-ebd76f40c355 EXT | <action> | Time 80

 

I want to make a query that groups the <action> types and then calculates the min, max and avg of the Time part of the string. So far i have had success with average:

 

index=my_index* host=hostName EXT | rex field=_raw "(EXT \| )(?<CategoryString>.+)( \| Time)" | rex field=_raw "(\| Time)(?<TimeValue>.+)" | stats mean(TimeValue) BY CategoryString

 

which returns the mean value of all entries. The data foundation of the query looks like:

LNS_1-1634889752858.png

All is grouped by 4 actions per one request, meaning that the first action: has the following values: 80, 45, 71, 63, 458.

When i then run the above query i get a correct result with mean:

LNS_2-1634889863973.png

But when switching to e.g. max, i get a maximum value of 80. which seems wrong, however it corresponds to the latest value. What am i missing here?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

LNS
Engager
‎10-22-2021 01:44 AM

I forgot to add a space after my Time in the query:

| rex field=_raw "(EXT \| )(?<CategoryString>.+)( \| Time)" | rex field=_raw "(\| Time )(?<TimeValue>.+)" | stats count, mean(TimeValue) as Average BY CategoryString | table CategoryString count Average

I assume the value was then read as a string instead of a number.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-22-2021 01:56 AM

I'm not sure but I wouldn't be surprised if mean() did some implicit casting to a numeric value while max() treated the field as text (thus max value in the lexicographic order would indeed be "80"). Try casting it to a number field by

| eval TimeValue=tonumber(TimeValue)

 and then doing your stats

0 Karma
Reply
Solved! Jump to solution
Solution

LNS
Engager
‎10-22-2021 01:44 AM

I forgot to add a space after my Time in the query:

| rex field=_raw "(EXT \| )(?<CategoryString>.+)( \| Time)" | rex field=_raw "(\| Time )(?<TimeValue>.+)" | stats count, mean(TimeValue) as Average BY CategoryString | table CategoryString count Average

I assume the value was then read as a string instead of a number.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...