×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Walter_Oesch
Observer
Member since: ‎09-12-2025
‎09-15-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-12-2025
Activity Feed
View All

Re: Average time in multivalue field

by in Splunk Search
‎09-15-2025 09:51 PM
‎09-15-2025 09:51 PM
Thank you for your reply. I managed to find a solution. I use transaction to correlate events with different keys (in the pseudo code example only one field was used). ... View more

Average time in multivalue field

by in Splunk Search
‎09-12-2025 06:56 AM
‎09-12-2025 06:56 AM
Hello I have a two multivalue fields: poiMv (point of interest) and timeMv as a result of a transaction command. Both Mv-fields have the same size. Same index have corresponding values. poiMv holds the place an event occurred, timeMv the corresponding time.  poiMv holds non unique values, e.g. [start nonrelevant end nonrelevent nonrelevant start end nonrelevant start nonrelevant end].   Now I want to find the time differences of all successiv start and end events. Out of these time differences, I want to calculate the mean value.  The mean value along with other values should then be presented in a table Conceptually, the query should looks like this: | index=myIndex | where filter | transaction correlationField mvlist="poiMv timeMv "  | "find successiv start end pairs in poiMv, calculate time difference, take the mean" | eval meanStartEnd = .... | table column1 column2 meanStartEnd  Any help is welcomed.     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-15-2025 09:43 PM