Hi Community,
I'm using Splunk Java SDK in my application, this version to be exact:
implementation group: 'com.splunk', name: 'splunk', version: '1.6.5.0'
In the app, I'm trying to get some stats on a metric from Splunk logs.
Here's the native search command in Splunk
`myapp` "Message of interest" | eventstats min(metricOfInterest) as ft_min max(metricOfInterest) as ft_max avg(metricOfInterest) as ft_avg stdev(metricOfInterest) as ft_stdev | fields ft_min, ft_max, ft_avg, ft_stdev
So this query would return a bunch of events and 4 additional fields ft_min, ft_max, ft_avg, ft_stdev for each event. For the sake of the conversation, let's say there's 200 events matched the search.
In my app, the `SplunkResponse` contains 200 Map<String, Object>, each map represents an event.
What I want is a single entry that contains only `ft_min, ft_max, ft_avg, ft_stdev`. Right now, I can extract it from an event (among those 200), but having all events is too verbose and unnecessary. Is this achievable by twisting the query or using a particular SDK API ?
Thanks,
Tuan
@tuandinh - You need to use stats command instead of eventstats.
`myapp` "Message of interest" | stats min(metricOfInterest) as ft_min max(metricOfInterest) as ft_max avg(metricOfInterest) as ft_avg stdev(metricOfInterest) as ft_stdev | fields ft_min, ft_max, ft_avg, ft_stdev
I hope this helps!!!