Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate average from two fields

BornConfused
Engager
‎10-11-2020 09:36 PM

My initial log looks something like:

The quick brown fox jumps over the lazy dog, and it jumped in 23092 seconds.

Trying to extract the number value and get an average. I have a query which extracts the 14th value, essentially a time field. This query works, but I am trying to get an average of the times per host.

| rex field=_raw "(\S+\s+){13}(?<processTime>\S+)\s"
| stats count by processTime, host

processTime                host
23092                             host123
45098                             host088
98987                             host238
23092                             host123
23092                             host123
98656                             host088
54545                             host238

I need an average for host123, host088, host238

The above query is also grouping the same times and displaying the counts, which is not preferred. 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rnowitzki
Builder
‎10-12-2020 08:14 AM

Hi @BornConfused ,

If I understood your requirement correct, it should be as simple as:

|  stats avg(processTime) by host

 
When I add the sample table you provided as input, the given command puts out the average processing time per host:

host	avg(processTime)
host088	71877
host123	23092
host238	76766


Hope it helps.
BR
Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rnowitzki
Builder
‎10-12-2020 08:14 AM

Hi @BornConfused ,

If I understood your requirement correct, it should be as simple as:

|  stats avg(processTime) by host

 
When I add the sample table you provided as input, the given command puts out the average processing time per host:

host	avg(processTime)
host088	71877
host123	23092
host238	76766


Hope it helps.
BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Solved! Jump to solution

BornConfused
Engager
‎10-12-2020 08:21 AM

Thank you ! This worked like a charm, I didn't think it was this easy.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-11-2020 10:16 PM

Please check this: 

base search query| stats count(processTime) by host 
| stats avg(count) as AvgProcessTime by host

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

BornConfused
Engager
‎10-12-2020 07:59 AM

Thank you, for your answer. But, this would return the number of times the base search was found by host:

| stats count(processTime) by host

but thats not what is expected. I have updated the question to reflect the initial log. 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...