Skip to main content
Sumo Logic

avg

The averaging function (avg) calculates the average value of the numerical field being evaluated within the time range analyzed.

Syntax:

  • avg(numerical_field)

Rules:

  • Creates field named _avg

Example:

... | avg(request_received) group by hour

Sample log message:

Aug 2 04:06:08 : host=10.1.1.124: local/ssl2 notice mcpd[3772]: filesize=20454: diskutilization=0.4 : 01070638:5: Pool member 172.31.51.22:0 monitor status down.

Example based on sample log message above:

disk*
| parse "diskutilization=*" as disk
| avg(disk) group by _sourceCategory
| sort by _avg

This query finds all messages that contain the term disk* and parses out all that have a diskutilization= value. It then extracts the value of diskutilization into field disk. The next statement finds the average disk utilization by category. Effectively, it gives you a picture of how your hosts are doing on average based on categorization of log sources you’ve chosen.