https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408918#M167868 <P>device="/dev/vda1 or device="/dev/vdb2 or device="/dev/sdb1 ...... and so on <BR /> so can not used to if(device="/dev/vda1",metric_value,null()) <BR /> I want to find rank...over() like oracle</P> Wed, 15 Aug 2018 14:27:46 GMT flzhang132 2018-08-15T14:27:46Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408916#M167866 <P>How can I get the result ? thanks ！<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5569i923F4A8747D1A7B7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 15 Aug 2018 10:47:53 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408916#M167866 flzhang132 2018-08-15T10:47:53Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408917#M167867 <P>@flzhang132,</P> <P>Try this and let's know</P> <PRE><CODE>index="your index" "other search terms" |eval time=strftime(_time,"%d/%m/%Y") |fields time,type,host,device,metric_value| fillnull value="NA" |stats avg(eval(if(type="cpu",metric_value,null()))) as cpu, avg(eval(if(type="mem",metric_value,null()))) as mem, avg(eval(if(device="/dev/vda1",metric_value,null()))) as diskusage1, avg(eval(if(device="/dev/vdb",metric_value,null()))) as diskusage2, values(host) as host,values(time) as time by type,device |fields - type,device|replace NA with "" </CODE></PRE> <P>Sorry not tested.</P> Wed, 15 Aug 2018 12:29:34 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408917#M167867 renjith_nair 2018-08-15T12:29:34Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408918#M167868 <P>device="/dev/vda1 or device="/dev/vdb2 or device="/dev/sdb1 ...... and so on <BR /> so can not used to if(device="/dev/vda1",metric_value,null()) <BR /> I want to find rank...over() like oracle</P> Wed, 15 Aug 2018 14:27:46 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408918#M167868 flzhang132 2018-08-15T14:27:46Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408919#M167869 <P>The above is exactly to match your requirement. The easy solution is </P> <PRE><CODE> index="your index" "other search terms" |eval time=strftime(_time,"%d/%m/%Y") |fields time,type,host,device,metric_value| fillnull value="NA" |stats avg(metric_value) as metric_value , values(host) as host,values(time) as time by type,device |replace NA with "" </CODE></PRE> <P>and you could use chart func(value) over something by this</P> Wed, 15 Aug 2018 14:55:14 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408919#M167869 renjith_nair 2018-08-15T14:55:14Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408920#M167870 <P>How frequently do you collect these metrics for each host? </P> Wed, 15 Aug 2018 15:35:52 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408920#M167870 somesoni2 2018-08-15T15:35:52Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408921#M167871 <P>yes , there are many hosts ,and each hosts have vary of device metrics </P> Thu, 16 Aug 2018 00:20:16 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408921#M167871 flzhang132 2018-08-16T00:20:16Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408922#M167872 <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5568i78696DFCCF013198/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 16 Aug 2018 00:52:31 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-result/m-p/408922#M167872 flzhang132 2018-08-16T00:52:31Z