The averaging function (avg) calculates the average value of the numerical field being evaluated within the time range analyzed.


  • avg(numerical_field)


  • Creates field named _avg


... | avg(request_received) group by hour

Sample log message:

Aug 2 04:06:08 : host= local/ssl2 notice mcpd[3772]: filesize=20454: diskutilization=0.4 : 01070638:5: Pool member monitor status down.

Example based on sample log message above:

| parse "diskutilization=*" as disk
| avg(disk) group by _sourceCategory
| sort by _avg

This query finds all messages that contain the term disk* and parses out all that have a diskutilization= value. It then extracts the value of diskutilization into field disk. The next statement finds the average disk utilization by category. Effectively, it gives you a picture of how your hosts are doing on average based on categorization of log sources you’ve chosen.