https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220101#M64702 <P>I would like to display some data that has columns based on dynamic data from the search results.<BR /> e.g. Assuming I have a query to calculate which two servers have the most users logging into them. I can write a query to give me the data in the form of: </P> <PRE><CODE>Date | ServerWithMostLogins | ServerWithSecondToMostLogins </CODE></PRE> <P>However, rather than calling the columns <CODE>ServerWithMostLogins</CODE>, I'd rename the column to the server's name.<BR /> I know I can use something like <CODE>| eval {ServerName}</CODE> but then I don't think I would be able to run <CODE>stats</CODE> over that column.<BR /> Is this possible?</P> <P>Edit, for example, say I have this data in my search result:</P> <PRE><CODE>Date=Today UserName=user1 ServerLoggedInto=Server23 Date=Today UserName=user45 ServerLoggedInto=Server33 Date=Today UserName=user11 ServerLoggedInto=Server23 Date=Today UserName=user11 ServerLoggedInto=Server23 etc </CODE></PRE> <P>What I would like is to display which 2 servers have the most logins:</P> <PRE><CODE>| Date | Server23 | Server 33 | +---------+----------+-----------+ | Today | 3 | 1 | </CODE></PRE> <P>I get most of this, the thing currently stumping me is how to get the ServerName as the column name.</P> Thu, 05 Nov 2015 20:23:39 GMT chustar 2015-11-05T20:23:39Z https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220101#M64702 <P>I would like to display some data that has columns based on dynamic data from the search results.<BR /> e.g. Assuming I have a query to calculate which two servers have the most users logging into them. I can write a query to give me the data in the form of: </P> <PRE><CODE>Date | ServerWithMostLogins | ServerWithSecondToMostLogins </CODE></PRE> <P>However, rather than calling the columns <CODE>ServerWithMostLogins</CODE>, I'd rename the column to the server's name.<BR /> I know I can use something like <CODE>| eval {ServerName}</CODE> but then I don't think I would be able to run <CODE>stats</CODE> over that column.<BR /> Is this possible?</P> <P>Edit, for example, say I have this data in my search result:</P> <PRE><CODE>Date=Today UserName=user1 ServerLoggedInto=Server23 Date=Today UserName=user45 ServerLoggedInto=Server33 Date=Today UserName=user11 ServerLoggedInto=Server23 Date=Today UserName=user11 ServerLoggedInto=Server23 etc </CODE></PRE> <P>What I would like is to display which 2 servers have the most logins:</P> <PRE><CODE>| Date | Server23 | Server 33 | +---------+----------+-----------+ | Today | 3 | 1 | </CODE></PRE> <P>I get most of this, the thing currently stumping me is how to get the ServerName as the column name.</P> Thu, 05 Nov 2015 20:23:39 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220101#M64702 chustar 2015-11-05T20:23:39Z https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220102#M64703 <P>Can you expand on what the table you have looks like and what the table you want looks like ?</P> Thu, 05 Nov 2015 20:40:15 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220102#M64703 aljohnson_splun 2015-11-05T20:40:15Z https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220103#M64704 <P>Like this:</P> <PRE><CODE>... | chart count over host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval dummy="dummy" | chart first(count) AS count over dummy by host | fields - dummy </CODE></PRE> Thu, 05 Nov 2015 20:46:50 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220103#M64704 woodcock 2015-11-05T20:46:50Z https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220104#M64705 <P>Added more information.</P> Thu, 05 Nov 2015 20:55:33 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220104#M64705 chustar 2015-11-05T20:55:33Z https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220105#M64706 <P>Given your clarification, this would be better (you must run timepicker on some subsection of <CODE>Today</CODE><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>... | stats count BY host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval Date="Today" | chart first(count) AS count over Date BY host </CODE></PRE> Thu, 05 Nov 2015 21:07:02 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220105#M64706 woodcock 2015-11-05T21:07:02Z https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220106#M64707 <P>Thanks, I'll try this</P> Fri, 06 Nov 2015 17:49:10 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220106#M64707 chustar 2015-11-06T17:49:10Z https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220107#M64708 <P>Thanks for the suggestion. Your answer led me in the right direction. <BR /> The main important thing was learning that <CODE>stats</CODE> and <CODE>chart</CODE> may look identical, but they are very different.</P> <P>I also used information from this answer as well: <A href="https://answers.splunk.com/answers/506/split-by-by-clause-of-chart-only-takes-2-dimensions-we-want-3.html#answer-507">https://answers.splunk.com/answers/506/split-by-by-clause-of-chart-only-takes-2-dimensions-we-want-3.html#answer-507</A></P> Fri, 06 Nov 2015 20:25:17 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-average-a-dynamic-column-created-using-eval-Field/m-p/220107#M64708 chustar 2015-11-06T20:25:17Z