Solved: Grouping using regex, then do stats

splunknewbieste · ‎10-19-2015

Assume each event includes 2 fields: path and duration among other fields.
Path can have values: (i) type1 = /x/y/, (ii) type2 = x/y/\d+ , eg. /x/y/1234, (iii) type3= z/t/, (iv) anything else.
How can I calculate the avg(duration) per type of path, only consider type1, type2, and type3, the rest is not interested?

| spath path | .... some how group the paths into different groups using regex ... | stats avg(duration) by path

I could do

... | regex path="/x/y(/\d+)?|/z/t/" | stats avg(duration) by path

but the problem is that /x/y/1234 will be treated differently from /x/y/2345 while I want to group all of them into type2.

clorne · ‎10-19-2015

Hello,
I would do something like that:
- creation of a temporary variable type!path which takes different value according to the value of Path

eval type_path = case(match(Path, "\/x\/y\/"), path_type1, match(Path,"\/x\/y\/\d+"), path_type2, match(Path,"\/z\/t\/"), path_type3)| stats avg(duration) by type_path

regards

View solution in original post

clorne · ‎10-19-2015

Hello,
I would do something like that:
- creation of a temporary variable type!path which takes different value according to the value of Path

eval type_path = case(match(Path, "\/x\/y\/"), path_type1, match(Path,"\/x\/y\/\d+"), path_type2, match(Path,"\/z\/t\/"), path_type3)| stats avg(duration) by type_path

regards

somesoni2 · ‎10-19-2015

Above can be applied after your regex filter.

splunknewbieste · ‎10-19-2015

Yes, I think that works. Thanks @clorne.

Grouping using regex, then do stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation