Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Calculate a number from each entry and present the...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Calculate a number from each entry and present the average of all entries
thewho123
Explorer
05-19-2016
06:07 PM
I have the entries below from different sessions:
sessionId="001" data="[{message=timing_stats, data=[{beginF=1550652.855, endF=1550719.130001}, {beginF=1565741, endF=1565787}, {beginF=1574747, endF=1574782}]}]"
sessionId="002" data="[{message=timing_stats, data=[{beginF=1510652.855, endF=1550719.1001}, {beginF=1865741.4500000002, endF=1565787.645}, {beginF=1974747.655, endF=1974782.6050000002}]}]"
What I want to do is to calculate endF-beginF for each object in the data array. In this case I would have 3 from the session 001 and 3 from session 002. Then I would like to show the average of the six numbers in a graph. How would I accomplish this? -Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
05-19-2016
07:14 PM
Try this
your base search | rex max_match=0 "beginF=(?<begin>\d+\.?\d*),\sendF=(?<end>\d+\.?\d*)" | eval z=mvzip(begin, end) | mvexpand z | rex field=z "^(?<begin>[^,]+),(?<end>.*)$" | stats count avg(begin) AS begin avg(end) AS end by sessionId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thewho123
Explorer
05-20-2016
10:52 AM
Hi,
This creates a table with sessionId, count, begin, end columns. I needed the average of endF (minus) beginF from each object and calculate their average.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
05-20-2016
11:06 AM
This should give you that...
your base search | rex max_match=0 "beginF=(?<begin>\d+\.?\d*),\sendF=(?<end>\d+\.?\d*)" | eval z=mvzip(begin, end) | mvexpand z | rex field=z "^(?<begin>[^,]+),(?<end>.*)$" | eval diff=end-begin | stats count avg(begin) AS begin avg(end) AS end avg(diff) as diff by sessionId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thewho123
Explorer
05-25-2016
06:22 PM
I am trying to calculate each pair separately. {beginF=1550652.855, endF=1550719.130001} and then get average of each calculated value
These will be timing values so (total beginF - total endF) will not work..
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
