Solved: How do I use a different aggregator based on a tok...

sillingworth · ‎06-27-2017

I have this search:

... 
| rename value as "Response Time"
| timechart span=1m max("Response Time") by app_name limit=5 useother=false usenull=false

and I'd like to allow 'max("Response Time")' to change to 'avg("Response Time")' depending on user input. Is there a way to do this?

I've tried $token$("Response Time") but that doesn't work.

sillingworth · ‎06-28-2017

Here's how I've done it:

        ...
        | stats max(value) as PerMinMax, avg(value) as PerMinAvg by _time, app_name
        | eval "Response Time"=case("Average"=="Max", PerMinMax, "Average"=="Average", PerMinAvg) 
        | timechart span=1m max("Response Time") by app_name limit=5 useother=false usenull=false

View solution in original post

sillingworth · ‎06-28-2017

Here's how I've done it:

        ...
        | stats max(value) as PerMinMax, avg(value) as PerMinAvg by _time, app_name
        | eval "Response Time"=case("Average"=="Max", PerMinMax, "Average"=="Average", PerMinAvg) 
        | timechart span=1m max("Response Time") by app_name limit=5 useother=false usenull=false

How do I use a different aggregator based on a token?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?