Splunk Search

Hi All

I am trying to create a new column with the average of a field name (back_post_duration) . I need to add this column to existing 2 columns.

back_post_duration is the total response time for every request. ex: 11212 ms

1) URL ........xxxxxxxxxxxxx.com.au/checkout/multi/xxxxxxxxxNotificationHandler)
2) count ( total No. of occurrences of URL in specified time)
3) this is new column. (avg of back_post_duration)

Sample log

Successful back-post to xxxxxxxxxxxxx.com.au/checkout/multi/xxxxxxxxxNotificationHandler in 11212 ms with response 404 Not Found.

right now i am using below , but unable to include the 3rd column

sourcetype=xxxxxxxxxxxxx | rex field=_raw "back-post to (?<TO_URL>\S+)" | stats count by TO_URL

1 Solution

Solution

If you have back_post_duration as a field, then try

<your query> | stats count as count,avg(back_post_duration) as Average by TO_URL

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Solution

If you have back_post_duration as a field, then try

<your query> | stats count as count,avg(back_post_duration) as Average by TO_URL

---
What goes around comes around. If it helps, hit it with Karma 🙂

Thanks Ranjith. This worked.

Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...