Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate average of value pairs within a field

maalvare
New Member
‎09-29-2015 06:37 AM

I need to extract value pairs from a field (string=integer) and then calculate the average of each of the strings.

The field in question looks like this
… [T=76ms,Rquest1=1, Request2=70, Request3=100, Request10=7]
… [T=134ms,Rquest1=11, Request7=700, Request8=1]

The query I am using looks something like this

<filters such as earliest=-1m> | makemv tokenizer="(.+?)(?=,|$),?" views   | rex field=filtered_views "(?<int_call>.*)=(?<int_time>.*)" | table T, int_call, int_time

That gives me the output on the attached image alt text

I want the average of Rquest1, Request2, Request3, etc.

The content comes from an app server log and the strings are calls to inner processes that happen for a particular request. That means that the strings can vary and there is not a comprehensive, stable list of values I can use to match as suggested on Question 6966 or Question 45993

Note that I can remove T to simplify the request, but the values on int_call and int_time will remain as groups, not as individual fields
Thank you in advance. This is eating my brain out.

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lpolo
Motivator
‎09-29-2015 08:10 AM

try this:

your query |mvexpand init_time|stats avg(init_time) by T

Thanks,
Lp

View solution in original post

0 Karma
Reply
Solved! Jump to solution

maalvare
New Member
‎09-30-2015 05:37 AM

Thank you for the answers.

@Ipolo answer was very close to what I needed. I simply added by int_call as 

<filters such as earliest=-1m> | makemv tokenizer="(.+?)(?=,|$),?" views   | rex field=filtered_views "(?<int_call>.*)=(?<int_time>.*)" | mvexpand init_time|stats avg(int_time) by int_call

@somesoni2 Your query is very interesting and I would like to play more with t. However, it seems I would have to know the fields to populate tepm, isn't? or I just simply paste my filtered_views in there? I could not get it to work so I wanted to clarify

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-29-2015 08:26 AM

Try something like this (lines before extract is just get a dataset with your sample data, replace it with your base search)

| gentimes start=-1 | eval temp="… [T=76ms,Request1=1, Request2=70, Request3=100, Request10=7]#… [T=134ms,Request1=11, Request7=700, Request8=1]" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw
| extract kvdelim="=:" pairdelim=",]" | stats avg(Request*) as Request*
0 Karma
Reply
Solved! Jump to solution
Solution

lpolo
Motivator
‎09-29-2015 08:10 AM

try this:

your query |mvexpand init_time|stats avg(init_time) by T

Thanks,
Lp

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...