Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate average of value pairs within a field

maalvare
New Member
‎09-29-2015 06:37 AM

I need to extract value pairs from a field (string=integer) and then calculate the average of each of the strings.

The field in question looks like this
… [T=76ms,Rquest1=1, Request2=70, Request3=100, Request10=7]
… [T=134ms,Rquest1=11, Request7=700, Request8=1]

The query I am using looks something like this

<filters such as earliest=-1m> | makemv tokenizer="(.+?)(?=,|$),?" views   | rex field=filtered_views "(?<int_call>.*)=(?<int_time>.*)" | table T, int_call, int_time

That gives me the output on the attached image alt text

I want the average of Rquest1, Request2, Request3, etc.

The content comes from an app server log and the strings are calls to inner processes that happen for a particular request. That means that the strings can vary and there is not a comprehensive, stable list of values I can use to match as suggested on Question 6966 or Question 45993

Note that I can remove T to simplify the request, but the values on int_call and int_time will remain as groups, not as individual fields
Thank you in advance. This is eating my brain out.

splunktable.png
Preview file
6 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lpolo
Motivator
‎09-29-2015 08:10 AM

try this:

your query |mvexpand init_time|stats avg(init_time) by T

Thanks,
Lp

View solution in original post

0 Karma
Reply
Solved! Jump to solution

maalvare
New Member
‎09-30-2015 05:37 AM

Thank you for the answers.

@Ipolo answer was very close to what I needed. I simply added by int_call as 

<filters such as earliest=-1m> | makemv tokenizer="(.+?)(?=,|$),?" views   | rex field=filtered_views "(?<int_call>.*)=(?<int_time>.*)" | mvexpand init_time|stats avg(int_time) by int_call

@somesoni2 Your query is very interesting and I would like to play more with t. However, it seems I would have to know the fields to populate tepm, isn't? or I just simply paste my filtered_views in there? I could not get it to work so I wanted to clarify

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-29-2015 08:26 AM

Try something like this (lines before extract is just get a dataset with your sample data, replace it with your base search)

| gentimes start=-1 | eval temp="… [T=76ms,Request1=1, Request2=70, Request3=100, Request10=7]#… [T=134ms,Request1=11, Request7=700, Request8=1]" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw
| extract kvdelim="=:" pairdelim=",]" | stats avg(Request*) as Request*
0 Karma
Reply
Solved! Jump to solution
Solution

lpolo
Motivator
‎09-29-2015 08:10 AM

try this:

your query |mvexpand init_time|stats avg(init_time) by T

Thanks,
Lp

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top