Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to perform aggregations on multiple occurrence...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to perform aggregations on multiple occurrences of a field inside a single event
hsharma20
Engager
04-11-2018
06:00 PM
Hi,
I have data something like this:
Events in splunk search are as follows
04:30 [timestamp] [text] type = a count = 10
[timestamp] [text] type = a count = 30
04:31 [timestamp] [text] type = a count = 30
[timestamp] [text] type = a count = 20
when I run the following query
"index = test source=".log" "type = a" count
| stats avg(count)
I get (10 + 30)/2 = 20
But I need to get (10+30+30+20) /4 = 45 (irrespective of events)
Can anyone help me on this ?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
04-11-2018
09:07 PM
Stats works just fine if the values are in a multivalue field by that name. This probably means that your search time extractions haven't been properly set up to deal with the fact that there can be more than one.
Try this ..
your base search
| rex max_match=0 "type =\s+(?<mytype>\S+)\s+count = (?<mycount>\d+)"
| eventstats avg(mycount) as overal_average
That will give you the overall average of all lines - which in this case is 22.5.
Here's a run-anywhere sample that shows that
| makeresults count=2
| streamstats count as recno
| eval _raw=if(recno=1,
" blah blah type = a count = 10 blah blah type = a count = 30",
" blah blah type = a count = 30 blah blah type = a count = 20")
| rex max_match=0 "type =\s+(?<mytype>\S+)\s+count = (?<mycount>\d+)"
| eventstats avg(mycount) as overall_average
Now, if you want to FIRST sum up all the counts per record, then average the records, then you need to do those steps in order.
| makeresults count=2
| streamstats count as recno
| eval _raw=if(recno=1,
" blah blah type = a count = 10 blah blah type = a count = 30",
" blah blah type = a count = 30 blah blah type = a count = 20")
| rex max_match=0 "type =\s+(?<mytype>\S+)\s+count = (?<mycount>\d+)"
| streamstats count as recno
| eventstats sum(mycount) as line_sum by recno
| eventstats avg(line_sum) as overall_average
Once you are satisfied that your system is calculating correctly, then change the eventstats to stats and all the detail lines will go away.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hsharma20
Engager
04-11-2018
09:50 PM
Thank you very much @DalJeanis, Now I am able to get all the values. But from what I see is that the event is returning event list than a table like stats.
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
