topic Re: Add field post stats and transpose commands in Splunk Search

Add field post stats and transpose commands

ebs — Tue, 01 Jun 2021 00:15:07 GMT

Hi,

I want my data presented in a very specific way, which means I can't go the typical route of just adding the field I want presented after the by in my stats command as I'm using transpose on the header fields.

I can't use eventstats because that completely messes up my stats table.

This is the search:

| datamodel Test summariesonly=true search
| search "TEST.date"=2021-05-18| rename "TEST.date" as date
| rename "TEST.uri_path" as uri_path
| eval category=case(like(uri_path, "/url1), "highPriority", uri_path="/url2", "unattended",
uri_path="/url3, "lowPriority", uri_path="/url4", "largePayload")
| rename "TEST.response_time" as response_time
| stats avg(response_time) by category
| rename avg(response_time) as averageResponse
| eval averageResponse=round(averageResponse,3)
| transpose 0 header_field=category
| fillnull value=0 highPriority, lowPriority, largePayload, unattended
| fields highPriority, lowPriority, largePayload, unattended, date

I want to be able to fill my date field with the previously defined date field

Re: Add field post stats and transpose commands

bowesmana — Tue, 01 Jun 2021 00:36:31 GMT

So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do

| fillnull value=0 highPriority, lowPriority, largePayload, unattended | eval date="2021-05-18" | fields highPriority, lowPriority, largePayload, unattended, date

but I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with

| eval date=$date|s$

or you could do this after the round

again, depending on where your condition is coming from, the same issue applies.

Note a couple of tips for your existing SPL.

You can do this

| rename "TEST.*" as *

and

| stats avg(response_time) as averageResponse by category

so you don't have to do the other separate renames

Re: Add field post stats and transpose commands

ebs — Tue, 01 Jun 2021 22:46:36 GMT

It is a token, so thank you but something weird happens when I have the command | eval date-$date

It comes up in my table as 1998 and I have no idea why because the correlating values from my first enterance of that date is accurate.

Please advise

Re: Add field post stats and transpose commands

ebs — Tue, 01 Jun 2021 23:03:17 GMT

Figured it out, I needed quotations around the token or it would have taken it as a mathematical expression

Re: Add field post stats and transpose commands

bowesmana — Wed, 02 Jun 2021 00:20:53 GMT

@ebs

Note the syntax I used in my original regarding use of tokens

| eval date=$date|s$

The |s (pipe s) before the closing $ sign is an instruction to the token handler as to how to represent the token.

See this link

https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/tokens#Syntax_to_consume_tokens

which shows what | token commands are available and how they affect token usage.

Using this

| eval date="$date$"

is the same when using the token in a dashboard, but there are subtle differences in how the |s syntax works compared to simple quoting when using the token in Javascript.