topic Re: I'm having trouble with the "over" syntax. How to use it in this situation? in Splunk Search

I'm having trouble with the "over" syntax. How to use it in this situation?

Hppjet — Sat, 23 Sep 2017 02:25:36 GMT

index="Plt15_tms3" ShiftName="1" EmployeeLoggedInLastName="*" MachineNumber<26  MachineState="*" | stats sum(ElapsedMachineSecondsInOrderPath) as ElapsedMachineSecondsInOrderPath by EmployeeLoggedInLastName | eval "Login Hours"=ElapsedMachineSecondsInOrderPath/3600 | chart  sum("Login Hours") **over** MachineState by EmployeeLoggedInLastName

updated - marked as code

Re: I'm having trouble with the "over" syntax. How to use it in this situation?

Sukisen1981 — Sat, 23 Sep 2017 09:28:52 GMT

hmm what is your desired output? can you be a bit more specific?

Re: I'm having trouble with the "over" syntax. How to use it in this situation?

Hppjet — Mon, 25 Sep 2017 12:40:13 GMT

I was hoping to create a column chart that has totals for "Login Hours" that is separated by machine state(running, stopped) that is broken out by Employee last name.

Re: I'm having trouble with the "over" syntax. How to use it in this situation?

DalJeanis — Mon, 25 Sep 2017 14:07:00 GMT

@hppjet - can you post a quick mockup of your desired output?

Re: I'm having trouble with the "over" syntax. How to use it in this situation?

DalJeanis — Mon, 25 Sep 2017 14:16:49 GMT

Ah. You lost the values for MachineState in your stats command. Any field not present in the stats command is GONE after it.

I'm assuming you have many more employees then you have machine states, so you may want to remember "over rowname by columnname")

 index="Plt15_tms3" ShiftName="1" EmployeeLoggedInLastName="*" MachineNumber<26  MachineState="*" 
| stats sum(ElapsedMachineSecondsInOrderPath) as ElapsedSeconds by EmployeeLoggedInLastName MachineState
| eval "Login Hours"=round(ElapsedSeconds/3600,2) 
| chart  sum("Login Hours") over EmployeeLoggedInLastName by MachineState

Re: I'm having trouble with the "over" syntax. How to use it in this situation?

Hppjet — Mon, 25 Sep 2017 14:26:38 GMT

Thank you for this solution and lesson. I didn't know it would be lost after stats.

Re: I'm having trouble with the "over" syntax. How to use it in this situation?

DalJeanis — Mon, 25 Sep 2017 15:00:20 GMT

@hppjet - yes, stats is a transforming command that summarizes all the records into a few new summary records. If you want to do something stats-like, but just want to add the calculated fields to every event, then use eventstats. If you want to do something that will process the events in order, like calculating an ongoing cumulative value across time, then use streamstats or accum. They each have their place.