topic Problem with multiple rows in a table (extended statistic) in Splunk Search

Problem with multiple rows in a table (extended statistic)

C_Sparn — Thu, 22 May 2014 08:07:47 GMT

Hello,

I'm looking for a possibility to create a statistic like this one:

directupload.net/file/d/3630/jzf8nu84_png.htm

Is that possible with the splunk search language?
Greetings

Re: Problem with multiple rows in a table (extended statistic)

martin_mueller — Thu, 22 May 2014 10:53:51 GMT

That looks a lot like a stats count by Date Type User - it'll fill those empty cells as well, but that's cosmetic... and could be fixed in post.

Re: Problem with multiple rows in a table (extended statistic)

C_Sparn — Thu, 22 May 2014 11:43:44 GMT

All in all you are right with grouping by multiple fields!
Now I get 1 row foreach time and all cells filled.
But how can I fix that "cosmetic" issue in post?
And is it possible to add another column at the end that has just:

count(time) by Date Type

If I use appendcols with this count it appends the values at the wrong rows beginning at first row!

Thanks for help

Re: Problem with multiple rows in a table (extended statistic)

martin_mueller — Thu, 22 May 2014 12:07:21 GMT

You can add such sub-summary columns like this:

... | eventstats sum(count) by Date Type

For removing duplicate Date values you can do this:

... | streamstats current=f window=1 last(Date) as last_date | eval Date = if(Date == last_date, null, Date) | fields - last_date

It'll copy over the value from the previous row and discard the cell if it's equal to that.