Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Performing calculations on multi-valued fields

ztayluh
New Member
‎03-22-2019 06:44 AM

Hello, I am trying to perform calculations on multiple fields.

I am working with data in the format of Key='value1,value2,value3,value4' which can contain anywhere from 1 to 4 values.

Input:
height='32,12,14,13' or width='32'
as well as variance='3.24e-2,4.23e+3,1.12e-4,1.01e-3'

Query:
`
index=myindex sourcetype=mysourcetype
| transaction source
| foreach *
[eval <>=if(match('<>', "[\d.,e+-]+"), '<>', '')
| eval total=0 | eval count=1
| eval <>=replace(<>,"\'","")
| makemv delim="," '<>'
| mvexpand '<>'
| foreach <>
[eval total_<>=total + <>
| eval count=count + 1]
| eval avg_<>=<>/count]
| table *, total, count
| transpose include_empty=false 10

`

Expected Output:
height=17.75
width=32
variance=1.0575e+3

Actual Output:
height=032,12,14,13, width=32
variance=03.24e-2,4.23e+3,1.12e-4,1.01e-3

Thank you in advance for any help provided!

0 Karma
Reply

adonio
Ultra Champion
‎03-22-2019 11:31 AM

can you share sample events and desired results?

0 Karma
Reply

ztayluh
New Member
‎03-22-2019 12:01 PM

Hi Adonio, here is an example event. 

21-Mar-19 05:10:46 
total_Height_mm='66,41,29,28'

Each event has a different multi-value pair.
There are ~150+ events per source

Thank you!

0 Karma
Reply

adonio
Ultra Champion
‎03-23-2019 02:30 PM

I am still puzzled as to what is the desired output ...
can you share at least 10 events and the desired output from search?

0 Karma
Reply

ztayluh
New Member
‎03-25-2019 10:54 AM

I apologize, hopefully this will be clearer

If I had an event like this:
21-Mar-19 05:10:46
total_Height_mm='66,41,29,28'

I would expect to get:
avg_total_Height_mm=(66 + 41 + 29 + 28)/4 = 41

Here are some additional events and their desired output:

21-Mar-19 05:10:46
total_Pressure_psi='16.16,16.16,16.16,16.16'

Output:
avg_total_Pressure_psi = 16.16

21-Mar-19 05:10:46
total_Pressure_kpa='3.2405e+2,3.8095e+2,3.4152e+2,3.9155e+2'

Output:
avg_total_Pressure_kpa=3.595175e+2

Thank you.

0 Karma
Reply

adonio
Ultra Champion
‎03-26-2019 06:23 AM

hope i understood your question, try this out.
also, plenty will depend on how the data is indexed and the fields you extract

| makeresults count=1
| eval data = "21-Mar-19 05:10:46 total_Height_mm='66,41,29,28';;;21-Mar-19 05:10:46 total_Pressure_psi='16.16,16.16,16.16,16.16';;;21-Mar-19 05:10:46 total_Pressure_kpa='3.2405e+2,3.8095e+2,3.4152e+2,3.9155e+2'"
| makemv delim=";;;" data 
| mvexpand data
| rex field=data "(?<time>\S+\s\S+)\s(?<fields>[^\=]+)\=\'(?<values>[^\']+)"
| makemv delim="," values
| mvexpand values
| stats avg(values) as avg_value by fields
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...