Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate average of value pairs within a field

maalvare
New Member
‎09-29-2015 06:37 AM

I need to extract value pairs from a field (string=integer) and then calculate the average of each of the strings.

The field in question looks like this
… [T=76ms,Rquest1=1, Request2=70, Request3=100, Request10=7]
… [T=134ms,Rquest1=11, Request7=700, Request8=1]

The query I am using looks something like this

<filters such as earliest=-1m> | makemv tokenizer="(.+?)(?=,|$),?" views   | rex field=filtered_views "(?<int_call>.*)=(?<int_time>.*)" | table T, int_call, int_time

That gives me the output on the attached image alt text

I want the average of Rquest1, Request2, Request3, etc.

The content comes from an app server log and the strings are calls to inner processes that happen for a particular request. That means that the strings can vary and there is not a comprehensive, stable list of values I can use to match as suggested on Question 6966 or Question 45993

Note that I can remove T to simplify the request, but the values on int_call and int_time will remain as groups, not as individual fields
Thank you in advance. This is eating my brain out.

splunktable.png
Preview file
6 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lpolo
Motivator
‎09-29-2015 08:10 AM

try this:

your query |mvexpand init_time|stats avg(init_time) by T

Thanks,
Lp

View solution in original post

0 Karma
Reply
Solved! Jump to solution

maalvare
New Member
‎09-30-2015 05:37 AM

Thank you for the answers.

@Ipolo answer was very close to what I needed. I simply added by int_call as 

<filters such as earliest=-1m> | makemv tokenizer="(.+?)(?=,|$),?" views   | rex field=filtered_views "(?<int_call>.*)=(?<int_time>.*)" | mvexpand init_time|stats avg(int_time) by int_call

@somesoni2 Your query is very interesting and I would like to play more with t. However, it seems I would have to know the fields to populate tepm, isn't? or I just simply paste my filtered_views in there? I could not get it to work so I wanted to clarify

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-29-2015 08:26 AM

Try something like this (lines before extract is just get a dataset with your sample data, replace it with your base search)

| gentimes start=-1 | eval temp="… [T=76ms,Request1=1, Request2=70, Request3=100, Request10=7]#… [T=134ms,Request1=11, Request7=700, Request8=1]" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw
| extract kvdelim="=:" pairdelim=",]" | stats avg(Request*) as Request*
0 Karma
Reply
Solved! Jump to solution
Solution

lpolo
Motivator
‎09-29-2015 08:10 AM

try this:

your query |mvexpand init_time|stats avg(init_time) by T

Thanks,
Lp

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top