Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Average Field results based of matching two ot...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking to take the following data sample and average the Latency columns based off the matching of Out and In fields. I've already taken the main search string and built reports around a rt timechart of average sorted by either Out or In; but would like a report that would show the average over 1 hr by distinct In & Out uniqueness
Example:
Latency, In, Out
00:00:01 SourceA SourceB
00:00:40 SourceA SourceC
00:00:01 SourceA SourceB
00:00:01 SourceB SourceB
00:00:01 SourceA SourceC
00:00:02 SourceA SourceC
00:00:01 SourceA SourceB
00:00:01 SourceA SourceB
00:00:01 SourceB SourceA
00:00:01 SourceA SourceB
00:00:30 SourceB SourceC
I've already taken the main search string and built reports around a rt average sorted by either Out or In.
Would like it to look for any "In" and "Out" match them up and calculate the average of each one. With the above example it would be:
00:00:01 SourceA SourceB
00:00:01 SourceA SourceB
00:00:01 SourceA SourceB
00:00:01 SourceA SourceB
00:00:01 SourceA SourceB
00:00:01 SourceB SourceB
00:00:01 SourceA SourceC
00:00:02 SourceA SourceC
00:00:40 SourceA SourceC
00:00:01 SourceB SourceA
00:00:30 SourceB SourceC
Result Table desired outcome:
Latency, In, Out
00:00:01, SourceA, SourceB
00:00:01, SourceB, SourceB
00:00:14, SourceA, SourceC
00:00:01. SourceB, SourceA
00:00:30, SourceB, SourceC
I would also be performing the same eval of Latency to show the max but figure that would be a simple change of performing the above by using max( ) instead of avg( ).
Hopefully this makes sense.
Best Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not
yoursearchhere
| latInSec = strptime(Latency,"%H:%M:%S")
| stats avg(latInSec) by In Out
| eval Average_Latency = tostring(latInSec,"duration")
| fields - latInSec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not
yoursearchhere
| latInSec = strptime(Latency,"%H:%M:%S")
| stats avg(latInSec) by In Out
| eval Average_Latency = tostring(latInSec,"duration")
| fields - latInSec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks worked great, though I did take out the time format conversion as its done prior. Guess the stats is the main function to perform a calculations based on grouping of other fields I was looking for.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
