Solved: Grouping using regex, then do stats

splunknewbieste · ‎10-19-2015

Assume each event includes 2 fields: path and duration among other fields.
Path can have values: (i) type1 = /x/y/, (ii) type2 = x/y/\d+ , eg. /x/y/1234, (iii) type3= z/t/, (iv) anything else.
How can I calculate the avg(duration) per type of path, only consider type1, type2, and type3, the rest is not interested?

| spath path | .... some how group the paths into different groups using regex ... | stats avg(duration) by path

I could do

... | regex path="/x/y(/\d+)?|/z/t/" | stats avg(duration) by path

but the problem is that /x/y/1234 will be treated differently from /x/y/2345 while I want to group all of them into type2.

clorne · ‎10-19-2015

Hello,
I would do something like that:
- creation of a temporary variable type!path which takes different value according to the value of Path

eval type_path = case(match(Path, "\/x\/y\/"), path_type1, match(Path,"\/x\/y\/\d+"), path_type2, match(Path,"\/z\/t\/"), path_type3)| stats avg(duration) by type_path

regards

View solution in original post

clorne · ‎10-19-2015

Hello,
I would do something like that:
- creation of a temporary variable type!path which takes different value according to the value of Path

eval type_path = case(match(Path, "\/x\/y\/"), path_type1, match(Path,"\/x\/y\/\d+"), path_type2, match(Path,"\/z\/t\/"), path_type3)| stats avg(duration) by type_path

regards

somesoni2 · ‎10-19-2015

Above can be applied after your regex filter.

splunknewbieste · ‎10-19-2015

Yes, I think that works. Thanks @clorne.

Grouping using regex, then do stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!