Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Average of the total count

krusovice
Path Finder
‎03-11-2018 11:01 PM

Hello all,

How can I get the average of the output as below?

Calculation is 40 + 20 + 50 / 3 = 36.6

REQUEST          ID          DURATION          AVERAGE
AAA              1122        40 seconds        36.6 seconds
BBB              3344        20 seconds
CCC              5566        50 seconds

Thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎03-11-2018 11:17 PM

Hi @krusovice,
try this:

...|rex field="DURATION" "(?<DURATION>\d+)"
|eventstats avg(DURATION) as average
|eval average=round(average,1)." seconds"

Try this run anywhere search:

|makeresults|eval REQUEST="AAA", DURATION="40 seconds"
|append[|makeresults|eval REQUEST="BBB", DURATION="20 seconds"]
|append[|makeresults|eval REQUEST="CCC", DURATION="50 seconds"]
|rex field="DURATION" "(?<DURATION>\d+)"
|eventstats avg(DURATION) as average
|eval average=round(average,1)." seconds"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎03-11-2018 11:19 PM

Hey krusovoice,

You can try this run anywhere query:

| makeresults | eval Request="AAA BBB CCC" | makemv Request| mvexpand Request | appendcols [| makeresults | eval ID="1122 3344 5566" | makemv ID| mvexpand ID ] |  appendcols [| makeresults | eval Duration="40seconds 50seconds 20seconds" | makemv Duration| mvexpand Duration ] |rex field=Duration "(?P<Dur>\d+)"| eventstats avg(Dur) AS avgDur

OR you can add this to your query:
|rex field=Duration "(?P\d+)"| eventstats avg(Dur) AS avgDur

Let me know if this helps!!

0 Karma
Reply
Solved! Jump to solution

krusovice
Path Finder
‎03-11-2018 11:58 PM

Hi deepashri_123,

eventstats just make the trick! Thank you as always.

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎03-15-2018 01:49 AM

@krusovice,
Please Upvote the answer if that helped!!
Thanks!!

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎03-11-2018 11:17 PM

Hi @krusovice,
try this:

...|rex field="DURATION" "(?<DURATION>\d+)"
|eventstats avg(DURATION) as average
|eval average=round(average,1)." seconds"

Try this run anywhere search:

|makeresults|eval REQUEST="AAA", DURATION="40 seconds"
|append[|makeresults|eval REQUEST="BBB", DURATION="20 seconds"]
|append[|makeresults|eval REQUEST="CCC", DURATION="50 seconds"]
|rex field="DURATION" "(?<DURATION>\d+)"
|eventstats avg(DURATION) as average
|eval average=round(average,1)." seconds"
0 Karma
Reply
Solved! Jump to solution

krusovice
Path Finder
‎03-11-2018 11:53 PM

Thank you @493669 for the great helps! It's work well in my dashboard.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...