Splunk Search

How to average fields together across multiple columns grouped together by the field name containing a specific string ?

Engager

I am trying to average fields together across multiple columns based on a specific string (A_Field and B_Field)

For Example:

  T1A_Field  T1B_Field  T2A_Field  T2B_Field .......T10A_Field  T10B_Field
1. 2            3          2          6                 5           3
2. 3            4          3          5                 3           7

To:

 A_Field  B_Field
1. 3        4
2. 3        5.33

I can't seem to wrap my head around how to average the fields together across columns with the condition that the field name contains either A_Field or B_Field. I would type it out individually to get the overall group average, but there are a larger number of fields than what was listed above and it becomes too inefficient. Apologies, as I am still in the learning process with Splunk.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

This is a great case for foreach:

... | foreach A_Field B_Field [eval sum_<<FIELD>> = 0, count_<<FIELD>> = 0]
| foreach  *A_Field [eval sum_A_Field = sum_A_Field + '<<FIELD>>', count_A_Field = count_A_Field + 1]
| foreach  *B_Field [eval sum_B_Field = sum_B_Field + '<<FIELD>>', count_B_Field = count_B_Field + 1]
| foreach A_Field B_Field [eval avg_<<FIELD>> = sum_<<FIELD>> / count_<<FIELD>>]

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

This is a great case for foreach:

... | foreach A_Field B_Field [eval sum_<<FIELD>> = 0, count_<<FIELD>> = 0]
| foreach  *A_Field [eval sum_A_Field = sum_A_Field + '<<FIELD>>', count_A_Field = count_A_Field + 1]
| foreach  *B_Field [eval sum_B_Field = sum_B_Field + '<<FIELD>>', count_B_Field = count_B_Field + 1]
| foreach A_Field B_Field [eval avg_<<FIELD>> = sum_<<FIELD>> / count_<<FIELD>>]

View solution in original post

0 Karma

Engager

This is a neat and clean approach to solve the problem I was having. Much easier to understand this way versus the overly convoluted field extraction I had setup in my search. Thanks again for the help.

0 Karma