- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Average Field results based of matching two other ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking to take the following data sample and average the Latency columns based off the matching of Out and In fields. I've already taken the main search string and built reports around a rt timechart of average sorted by either Out or In; but would like a report that would show the average over 1 hr by distinct In & Out uniqueness
Example:
Latency, In, Out
00:00:01 SourceA SourceB
00:00:40 SourceA SourceC
00:00:01 SourceA SourceB
00:00:01 SourceB SourceB
00:00:01 SourceA SourceC
00:00:02 SourceA SourceC
00:00:01 SourceA SourceB
00:00:01 SourceA SourceB
00:00:01 SourceB SourceA
00:00:01 SourceA SourceB
00:00:30 SourceB SourceC
I've already taken the main search string and built reports around a rt average sorted by either Out or In.
Would like it to look for any "In" and "Out" match them up and calculate the average of each one. With the above example it would be:
00:00:01 SourceA SourceB
00:00:01 SourceA SourceB
00:00:01 SourceA SourceB
00:00:01 SourceA SourceB
00:00:01 SourceA SourceB
00:00:01 SourceB SourceB
00:00:01 SourceA SourceC
00:00:02 SourceA SourceC
00:00:40 SourceA SourceC
00:00:01 SourceB SourceA
00:00:30 SourceB SourceC
Result Table desired outcome:
Latency, In, Out
00:00:01, SourceA, SourceB
00:00:01, SourceB, SourceB
00:00:14, SourceA, SourceC
00:00:01. SourceB, SourceA
00:00:30, SourceB, SourceC
I would also be performing the same eval of Latency to show the max but figure that would be a simple change of performing the above by using max( ) instead of avg( ).
Hopefully this makes sense.
Best Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not
yoursearchhere
| latInSec = strptime(Latency,"%H:%M:%S")
| stats avg(latInSec) by In Out
| eval Average_Latency = tostring(latInSec,"duration")
| fields - latInSec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not
yoursearchhere
| latInSec = strptime(Latency,"%H:%M:%S")
| stats avg(latInSec) by In Out
| eval Average_Latency = tostring(latInSec,"duration")
| fields - latInSec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks worked great, though I did take out the time format conversion as its done prior. Guess the stats is the main function to perform a calculations based on grouping of other fields I was looking for.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
