Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Performing calculations on multi-valued fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Performing calculations on multi-valued fields
Hello, I am trying to perform calculations on multiple fields.
I am working with data in the format of Key='value1,value2,value3,value4' which can contain anywhere from 1 to 4 values.
Input:
height='32,12,14,13' or width='32'
as well as variance='3.24e-2,4.23e+3,1.12e-4,1.01e-3'
Query:
`
index=myindex sourcetype=mysourcetype
| transaction source
| foreach *
[eval <>=if(match('<>', "[\d.,e+-]+"), '<>', '')
| eval total=0 | eval count=1
| eval <>=replace(<>,"\'","")
| makemv delim="," '<>'
| mvexpand '<>'
| foreach <>
[eval total_<
| eval count=count + 1]
| eval avg_<>=<>/count]
| table *, total, count
| transpose include_empty=false 10
`
Expected Output:
height=17.75
width=32
variance=1.0575e+3
Actual Output:
height=032,12,14,13, width=32
variance=03.24e-2,4.23e+3,1.12e-4,1.01e-3
Thank you in advance for any help provided!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you share sample events and desired results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Adonio, here is an example event.
21-Mar-19 05:10:46
total_Height_mm='66,41,29,28'
Each event has a different multi-value pair.
There are ~150+ events per source
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am still puzzled as to what is the desired output ...
can you share at least 10 events and the desired output from search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize, hopefully this will be clearer
If I had an event like this:
21-Mar-19 05:10:46
total_Height_mm='66,41,29,28'
I would expect to get:
avg_total_Height_mm=(66 + 41 + 29 + 28)/4 = 41
Here are some additional events and their desired output:
21-Mar-19 05:10:46
total_Pressure_psi='16.16,16.16,16.16,16.16'
Output:
avg_total_Pressure_psi = 16.16
21-Mar-19 05:10:46
total_Pressure_kpa='3.2405e+2,3.8095e+2,3.4152e+2,3.9155e+2'
Output:
avg_total_Pressure_kpa=3.595175e+2
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hope i understood your question, try this out.
also, plenty will depend on how the data is indexed and the fields you extract
| makeresults count=1
| eval data = "21-Mar-19 05:10:46 total_Height_mm='66,41,29,28';;;21-Mar-19 05:10:46 total_Pressure_psi='16.16,16.16,16.16,16.16';;;21-Mar-19 05:10:46 total_Pressure_kpa='3.2405e+2,3.8095e+2,3.4152e+2,3.9155e+2'"
| makemv delim=";;;" data
| mvexpand data
| rex field=data "(?<time>\S+\s\S+)\s(?<fields>[^\=]+)\=\'(?<values>[^\']+)"
| makemv delim="," values
| mvexpand values
| stats avg(values) as avg_value by fields
Introducing a Smarter Way to Discover Apps on Splunkbase
How to Send Splunk Observability Alerts to Webex teams in Minutes
.conf25 Registration is OPEN!
