Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need help with splunk query with aggregation over ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunknovice
Engager
12-06-2013
01:55 PM
I am trying to construct from my log which logs sla tracking metrics like below:
Message="Metric1=11887,Metric2=179544,Metric3=157892,Metric4=61,Metric5=3438"
Here's the query I am trying with.
host=testmachine* INFO source=/var/log/tomcat/test/app.log | rex max_match=100 field=Message "(?
With the above query, the aggregation seem to be happening across all the matches, i.e. all the metric show the same value of avg(latency). Is there a way I can relate the metric and latency together?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-06-2013
02:43 PM
You can try something like this for starter.
host=testmachine* INFO source=/var/log/tomcat/test/app.log
| rex max_match=100 field=Message "(?P<metric>[^=]+)=(?P<latency>[^,]+)[,]" |eval metric="Metric"| stats avg(latency) by metric
This should give you one entry per host.
Updated answer
Use following:
host=testmachine* INFO source=/var/log/tomcat/test/app.log | rex max_match=100 field=Message "(?P<metricdata>[^,]+)[,]" | table metricdata | mvexpand metricdata | rex field=metricdata "(?<metric>.*)=(?<latency>.*)" | stats avg(latency) by metric
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-06-2013
05:19 PM
See my updated answer below. This should do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunknovice
Engager
12-06-2013
03:02 PM
Thanks for a quick response.
Say I've 3 such entries in the log:
Message="Metric1=11887,Metric2=179544,Metric3=157892,Metric4=61,Metric5=3438"
Message="Metric1=10800,Metric2=179040,Metric3=157002,Metric4=60,Metric5=3428"
Message="Metric1=10007,Metric2=179030,Metric3=157101,Metric4=62,Metric5=3418"
I am expecting the output to be average across all the 3 Message field entries for a specific metric.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-06-2013
02:43 PM
You can try something like this for starter.
host=testmachine* INFO source=/var/log/tomcat/test/app.log
| rex max_match=100 field=Message "(?P<metric>[^=]+)=(?P<latency>[^,]+)[,]" |eval metric="Metric"| stats avg(latency) by metric
This should give you one entry per host.
Updated answer
Use following:
host=testmachine* INFO source=/var/log/tomcat/test/app.log | rex max_match=100 field=Message "(?P<metricdata>[^,]+)[,]" | table metricdata | mvexpand metricdata | rex field=metricdata "(?<metric>.*)=(?<latency>.*)" | stats avg(latency) by metric
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-06-2013
06:37 PM
would you mind closing the question, if everything is set for you?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-06-2013
06:20 PM
Glad I could help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunknovice
Engager
12-06-2013
06:16 PM
It was mistake on my part. The last query you gave is working like charm. Big thanks to you for helping me construct this query which I was stuck for many hours!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-06-2013
05:59 PM
How are the values coming up in latency column? Do they seem numbers? I used the sample that you provided and I am seeing data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunknovice
Engager
12-06-2013
05:51 PM
Thanks again. I think this is getting closer to what I am expecting. However now the avg(latency) column is empty for all rows. If I remove the | stats avg(latency) by metric, i see data in metric and latency columns as expected. Its the aggregation that's not returning anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-06-2013
02:40 PM
I guess you're getting data in below form
metric avg(latency) Metric1 87346.000000
Metric2 87346.000000
Metric3 87346.000000
Metric4 87346.000000
What output you're expecting?
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
