Splunk Search

How to search for the Min, Max, Average of several fields of the same event?

jwidhalm
Explorer

I have events with several fields and the fields have a common portion and a variable portion: i.e. aaaaa0500 = 234, aaaaa0501 = 432, aaaaa0502 = 302, etc. I want to find the Min, Max, and Average of the values of these fields, within each event, over time.

Ive found/tried several examples but nothing achieved the desired results. The closest I came was:
...| stats max(aaaaa05*), min(aaaaa05*), avg(aaaaa05*) by _time

But this yields the stats for each field within each event which is not what I am looking for. Using the example data above, if the above data were in the same event, then I would want to see: Min=234, Max=432, Avg=322.6

Any ideas would be appreciated

Tags (5)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You can use this slightly cumbersome beast:

base search | eval max = -9999999 | eval min = 9999999 | eval sum = 0 | eval count = 0
|  foreach aaaaa* [eval max = if('<<FIELD>>' > max, '<<FIELD>>', max) | eval min = if('<<FIELD>>' < min, '<<FIELD>>', min) | eval sum = sum + '<<FIELD>>' | eval count = count + 1]
| eval avg = sum / count

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You can use this slightly cumbersome beast:

base search | eval max = -9999999 | eval min = 9999999 | eval sum = 0 | eval count = 0
|  foreach aaaaa* [eval max = if('<<FIELD>>' > max, '<<FIELD>>', max) | eval min = if('<<FIELD>>' < min, '<<FIELD>>', min) | eval sum = sum + '<<FIELD>>' | eval count = count + 1]
| eval avg = sum / count

View solution in original post

jwidhalm
Explorer

Thank you Martin! This did the trick.

-John

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!