Splunk Search

Show averages for three different types of results


I need to show the difference between three different types of servers for example.

CitrixServer TotalStartupTime
OAIMFEP06 15.609
OAIMFEPV94 27.876
OAIMFEPT07 17446.984

Virtual servers have 'v' in the name, test servers have 't' in the name and physical servers have neither T or V in the name.

I would like to show the average TotalStartupTime for each type of server.

Thank you SplunkBase!

CitrixServer    TotalStartupTime

1 OAIMFEPV94 27.876
2 OAIMFEPV89 20.095
3 OAIMFEPV13 36.08
4 oaimfep03 51.654
5 OAIMFEP22 779.027
6 OAIMFEP02 52.532
7 OAIMFEPV83 67.69
8 OAIMFEPV80 15.25
9 OAIMFEPV40 98.207
10 OAIMFEP06 15.609

Tags (1)
0 Karma


Hi, have not idea how your base search looks or your raw data, but I would use rex or regex in my search. I am also assuming CitrixServer is a valid field.

I am assuming the following: OAIMFEPV94 - base_servername=OAIMFE, server_type=PV, server_instance=94

...| rex field=CitrixServer "(?i)oaimfe(?<server_type>\w+)\d\d$" | stats sum(TotalStartupTime) by server_type

You can further enrich the data by using a case statment or lookup table. Also read Splunk SPL Cook book which is available for download.

Hope this helps or gets you started. Don't forget to accept and vote answers that help.

0 Karma


If this help dont forget to accept by clicking the the check mark. Cheers

0 Karma



Thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...