Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Summary-Index: Is it possible to summary index the averages of two calculated fields in the same search?

hofer
Explorer
‎04-17-2015 07:19 AM

So i got this report running all 15min and saving into my summary index:

index=mbs_li host="vimapmop*" sourcetype=Message | timechart span=1m avg(Message_DURATION_whole) AS ms

Now there are 2 durations in an original event, one is the Message_DURATION_whole and one the Message_DURATION_part1.
I'd like to have both the averages (see search above) of them in my summary index event. These two fields are field extractions.
Is this possible or do I have to just add another report, which makes almost the same, but with the other duration?

Thank you very much

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-17-2015 07:44 AM

Hi hofer,

This is possible!

You will write your request like this:

index=mbs_li host="vimapmop*" sourcetype=Message | timechart span=1m avg(Message_DURATION_whole) AS ms, avg(Message_DURATION_part1) AS ms2

View solution in original post

Reply
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-17-2015 07:44 AM

Hi hofer,

This is possible!

You will write your request like this:

index=mbs_li host="vimapmop*" sourcetype=Message | timechart span=1m avg(Message_DURATION_whole) AS ms, avg(Message_DURATION_part1) AS ms2
Reply
Solved! Jump to solution

juvetm
Communicator
‎04-17-2015 01:07 PM

Hi
can you try to use the eval commad i think this may help o solve you problem

0 Karma
Reply
Solved! Jump to solution

hofer
Explorer
‎04-20-2015 03:41 AM

Thank you, ngatchasandra.
@juvetm, yes this is also possible, but unfortunately "eval" doesn't go with "avg". But for example a straight line, this works great.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...