Splunk Search

Hi All

I am trying to create a new column with the average of a field name (back_post_duration) . I need to add this column to existing 2 columns.

back_post_duration is the total response time for every request. ex: 11212 ms

1) URL ........xxxxxxxxxxxxx.com.au/checkout/multi/xxxxxxxxxNotificationHandler)
2) count ( total No. of occurrences of URL in specified time)
3) this is new column. (avg of back_post_duration)

Sample log

Successful back-post to xxxxxxxxxxxxx.com.au/checkout/multi/xxxxxxxxxNotificationHandler in 11212 ms with response 404 Not Found.

right now i am using below , but unable to include the 3rd column

sourcetype=xxxxxxxxxxxxx | rex field=_raw "back-post to (?<TO_URL>\S+)" | stats count by TO_URL

1 Solution

Solution

If you have back_post_duration as a field, then try

<your query> | stats count as count,avg(back_post_duration) as Average by TO_URL

Happy Splunking!

View solution in original post

Solution

If you have back_post_duration as a field, then try

<your query> | stats count as count,avg(back_post_duration) as Average by TO_URL

Happy Splunking!

Thanks Ranjith. This worked.

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...