Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract values bucketed by time

varsuvius
New Member
‎11-24-2016 04:43 AM

Hello,

I have a bucketed chart in this format:

alt text

Is it possible to calculate the geometric mean of the values in each timestamp and add it to another field??

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-24-2016 05:50 AM

Try this

.... | mvexpand solrTime | eval natural_logs=ln(solrTime) | stats values(solrTime) as solrTime mean(natural_logs) as log_mean by _time | eval geometric_mean = exp(log_mean)

Got this from this great post by @aljohnson

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-24-2016 05:50 AM

Try this

.... | mvexpand solrTime | eval natural_logs=ln(solrTime) | stats values(solrTime) as solrTime mean(natural_logs) as log_mean by _time | eval geometric_mean = exp(log_mean)

Got this from this great post by @aljohnson

0 Karma
Reply
Solved! Jump to solution

varsuvius
New Member
‎11-24-2016 06:42 AM

Did not work.

I tried this command:

  • | rex field=_raw ".*Solr Time: (?\d+)" | mvexpand solrTime | eval natural_log=ln(solrTime) | bucket span=10m _time | stats values(solrTime) as solrTime mean(natural_logs) as log_mean by _time | eval geometric_mean = exp(log_mean)
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-24-2016 06:50 AM

I don't believe you need the rex command. Add this to the query that resulted in the table you have in your screenshot. Make sure the table has two columns _time and solrTime

0 Karma
Reply
Solved! Jump to solution

varsuvius
New Member
‎11-24-2016 07:03 AM

The query between --- is the initial one that generates that chart.

--- * | rex field=_raw ".*Solr Time: (?\d+)" | bucket span=10m _time | chart values(solrTime) by _time --- | mvexpand solrTime | eval natural_log=ln(solrTime) | stats values(solrTime) as solrTime mean(natural_logs) as log_mean by _time | eval geometric_mean = exp(log_mean)

After that, the results are returning only the timestamp.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-24-2016 07:23 AM

Try this

---  | rex field=_raw ".*Solr Time: (?\d+)" | bucket span=10m _time | chart values(solrTime) as solrTime by _time | mvexpand solrTime | eval natural_log=ln(solrTime) | stats values(solrTime) as solrTime mean(natural_logs) as log_mean by _time | eval geometric_mean = exp(log_mean)
0 Karma
Reply
Solved! Jump to solution

varsuvius
New Member
‎11-24-2016 07:35 AM

Still not working.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-24-2016 07:39 AM

Try this. Fixed typo

---  | rex field=_raw ".*Solr Time: (?\d+)" | bucket span=10m _time | chart values(solrTime) as solrTime by _time | mvexpand solrTime | eval natural_logs=ln(solrTime) | stats values(solrTime) as solrTime mean(natural_logs) as log_mean by _time | eval geometric_mean = exp(log_mean)

If this doesn't work, try taking out one segment at a time to see where it stops working.

0 Karma
Reply
Solved! Jump to solution

varsuvius
New Member
‎11-24-2016 07:56 AM

It's working now. Thanks a lot for your help. 😄

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...