Solved: How to group and count data from string?

vintik · ‎09-28-2016

I have the following query:

sourcetype=XXX Some query for * took * seconds to load

And this is a result of query:

I, [2016-09-28T11:01:21.616144 #23942]  INFO -- : Some query for authorizations took 8 seconds to load. JobID: 1475060473.4330475
I, [2016-09-28T11:01:21.113586 #20705]  INFO -- : Some query for authentications took 9 seconds to load. JobID: 1475060472.4330474
I, [2016-09-28T11:01:20.539219 #19285]  INFO -- : Some query for authentications took 8 seconds to load. JobID: 1475060472.4330473

But I need to get average time for each of operation type (authorizations and authentications from example):

authorizations: 8.5
authentications: 8

Is it possible?

somesoni2 · ‎09-28-2016

Assuming that both operation type and duration is not extracted, try like this

 sourcetype=XXX Some query for * took * seconds to load | rex "for (?<operation_type>\w+) took (?<duration>\d+) seconds" | stats avg(duration) as Average_Time by operation_type

View solution in original post

somesoni2 · ‎09-28-2016

Assuming that both operation type and duration is not extracted, try like this

 sourcetype=XXX Some query for * took * seconds to load | rex "for (?<operation_type>\w+) took (?<duration>\d+) seconds" | stats avg(duration) as Average_Time by operation_type

How to group and count data from string?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life