Solved: Re: Why I am getting avg() alway empty?

Kazi1 · ‎07-06-2020

Hi everyone,

I am unable to calculate average of the given values. However, I am getting values corresponding to min() and max(). Just to give you a bit of context, I am trying to extract response time from logs and based on that I want to create a chart (probably bar- chat) presenting min, max and avg response time for successful requests.

Here are few of my queries which I tried:

First approach

index=nonprod source=/some/microservices/alpha-* 
| spath level 
| search level=info 
| search message!="Exception has occurred." 
| regex message="([a-z0-9[\:\/\-.?=%]+)abc/submission] resolved in \[([0-9ms\s\]]+)"
| rex "resolved in \[(?<resptime>.*? )" 
| stats min(resptime) as Mintime max(resptime) as MaxTme avg(resptime) as AvgTime

Response => Mintime : 12237 MaxTme : 28338 AvgTime:

Then second approach ( I thought may be <resptime> is a string type and hence avg() is unable to calculate average. So, tried to convert string to number before calculating applying stats

index=nonprod source=/some/microservices/alpha-* 
                | spath level 
                | search level=info 
                | search message!="Exception has occurred." 
                | regex message="([a-z0-9[\:\/\-.?=%]+)abc/submission] resolved in \[([0-9ms\s\]]+)"
                | rex "resolved in \[(?<resptime>.*? )" 
                | eval responseTime = tonumber(resptime)
                | stats min(responseTime) as Mintime max(responseTime) as MaxTme avg(responseTime) as AvgTime

This approach didn't work at all.

FYI - following are the values I am getting from <resptime> when I use " | table resptime" right after rex statement.

1	13826
2	24812
3	20494
4	26317
5	28338
6	25612
7	12237
8	13470
9	17023
10	14416
11	13979
12	24578

Also, I have also figured it out that eval also doesn't work I tried printing eval statement as table it showed 12 empty rows. Moreover, I also tried eval with if ()
"eval responseTime = if(isNum(resptime),"True",tonumber(resptime)) | table responseTime". No luck.

Any help in this regard would be highly appreciated.

Thanks

to4kawa · ‎07-06-2020

| makeresults
| eval test="1234 "
| eval result=tonumber(test)

This query doesn't display result.
your rex capture with space. so that is why your query can't work.

View solution in original post

to4kawa · ‎07-06-2020

| makeresults
| eval test="1234 "
| eval result=tonumber(test)

This query doesn't display result.
your rex capture with space. so that is why your query can't work.

Kazi1 · ‎07-06-2020

Hi @to4kawa,

It seems like you're right on point. Till this point I didn't look into it but I can see for sure there is a space right after number. The following piece worked for me after removing space. Learned something new!

| eval nospace=trim(resptime) | stats avg(nospace) ...

Thanks bunch mate!

isoutamo · ‎07-06-2020

Hi

can you give a sample to us?
When you run this with verbose mode, can you check which character is before that field on interesting fields? Is it an “a” => character or a # => number.?

r. Ismo

Kazi1 · ‎07-06-2020

Hi @isoutamo ,
I am getting # before field "resptime" under intersting fields. Also, under the sub-window which gets open after you click on that particular field I am getting all the results along with :

Avg: 18346.072727272727
Min: 10690
Max: 30474
Std Dev: 6422.345452069976

Though, I am not sure how can I access these fields.

Thanks

Why I am getting avg() alway empty?

eval

stats

table

timechart

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!