Splunk Search

How to extract a numeric value from my field and create an average?

UCOP
New Member

I have created a field extraction for the data I am looking for. The field looks as follows:

messages_read total/interval/max=11581602/2067/3143

This line in the messages is received approximately every 10 sec. I would like to be able to extract the 2067 which is the number of messages read in the last 10 sec and obtain an average of the messages read over a specified amount of time, i.e. an hour or 24 hours.

0 Karma
1 Solution

sundareshr
Legend

Like this

.... | rex field=messages_read total/interval/max "\d+\/\(?<interval>d+)\/" | timechart span=1h avg(interval) AS avgInterval

You can adjust the span to s, m, h, d, w, mon etc.

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

See if this works:

index= OR index=_ source="/zones/COP1/root/var/svc/log/application-ucop-topcop-pub:default.log" | rex "\d+\/(?<interval>\d+)\/"| timechart span=1h avg(interval) AS avgInterval

0 Karma

sundareshr
Legend

Like this

.... | rex field=messages_read total/interval/max "\d+\/\(?<interval>d+)\/" | timechart span=1h avg(interval) AS avgInterval

You can adjust the span to s, m, h, d, w, mon etc.

0 Karma

UCOP
New Member

Thank you for your quick response. I received the following error:

Error in 'rex' command: The regex 'total/interval/max' does not extract anything. It should specify at least one named group. Format: (?...).

The full search string is as follows:

index=* OR index=_* source="/zones/COP1/root/var/svc/log/application-ucop-topcop-pub:default.log" | rex field=messages_read total/interval/max "\d+\/\(?d+)\/" | timechart span=1h avg(interval) AS avgInterval

So I am sure I am doing something wrong.

0 Karma

somesoni2
Revered Legend

There is an additional slash in the answer. This should work fine.

Updated
Good catch by @jkat54

 .... | rex field=messages_read total/interval/max "\d+\/(?<interval>\d+)\/" | timechart span=1h avg(interval) AS avgInterval
0 Karma

jkat54
SplunkTrust
SplunkTrust

Need a slash in front of the d+ in the capture group and the field name isn't messages_read. The answer I gave should work fine.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Now remove the field=messages_read and total/interval/max and it'll be a ok. I wouldn't have posted a new answer if sundareshr's answer didn't have so many mistakes. You'll see where I just offer corrections in comments when folks are close. Now however his updated answer has an extra ? too.

0 Karma

sundareshr
Legend

I had the starting quote in the wrong place. Try this

.... | rex field=messages_read "total/interval/max=?\d+\/\(?<interval>d+)\/" | timechart span=1h avg(interval) AS avgInterval

OR

.... | rex field=messages_read "?\d+\/\(?<interval>d+)\/" | timechart span=1h avg(interval) AS avgInterval
0 Karma

UCOP
New Member

Okay. It looks like it is getting closer.

I am using the following:

source="/zones/COP1/root/var/svc/log/application-ucop-topcop-pub:default.log" | rex field=messages_read "total/interval/max=?\d+\/(?d+)\/" | timechart span=1h avg(interval) AS avgInterval

On the Statistics tab there is a _time column and a avgInterval column, but there is nothing listed in the avgInterval column. Would I expect to see a number in that column, equating to an average of all the results for an hour?

Much appreciated!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...