×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sityuages
New Member
Member since: ‎09-17-2015
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-17-2015
View All

Re: How to merge events and average based upon spe...

by in Splunk Search
‎09-17-2015 01:27 PM
‎09-17-2015 01:27 PM
This worked very well. The only change I made was to break out the rex for extracting Name and Count into 2 separate ones. Thank you somesoni2! ... View more

How to merge events and average based upon specifi...

by in Splunk Search
‎09-17-2015 11:08 AM
‎09-17-2015 11:08 AM
First, the background - I have a number of events that are parsed and indexed. The format of the log file is: [timestamp] [Sub1] Name="Bob" Count=2 [Sub2] Name="Sarah" Count=5 [Sub1] Name="Sarah" Count=3 [Sub2] Name="Bob" Count=0 [timestamp] [Sub1] Name="Bob" Count=5 [Sub2] Name="Sarah" Count=3 [Sub1] Name="Sarah" Count=0 [Sub2] Name="Bob" Count=3 [timestamp] [Sub1] Name="Bob" Count=1 [Sub2] Name="Sarah" Count=2 [Sub1] Name="Sarah" Count=0 [Sub2] Name="Bob" Count=2 The [timestamp] is the start of a new event. Splunk splits these lines into their own events properly. The [Sub1] and [Sub2] tags denote different items in my system, so for now I am only wanting to use the fields that come after Sub1. I cannot determine what Search query to use that will search the indexed data, take the average of the Counts based upon [Sub1] and each "Name", and spit the results out. Does anyone have an idea on this? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM