Solved: How to create a table of eval fields along with st...

shah_nishay · ‎10-02-2017

I have a query where I eval 3 fields by substracting different timestamps

eval Field1 = TS1-TS2
eval Field2 = TS3-TS4
eval Field3 = TS5- TS6
eval Date = strftime(_time, "%m-%d-%Y")
Next I use the stats command to calculate count, min,max,average for these 3 evaluated Fields by date.

If use stats count(Field1), count(Field2),count(Field3) by Date then I end up with all the values in same row.
How can i get these stats for each Fields in different line ?
i.e my out put should look like :

Date,Fields,Min,Max,Avg
10/2/2017, Field1,5,10,8
10/2/2017, Field2,15,110,30
10/2/2017, Field3,11,102,58
10/3/2017, Field1,15,110,28
10/3/2017, Field2,25,210,100
10/3/2017, Field3,12,110,60

somesoni2 · ‎10-02-2017

Try like this

your base search
| eval Field1 = TS1-TS2
| eval Field2 = TS3-TS4
| eval Field3 = TS5- TS6
| eval Date = strftime(_time, "%m-%d-%Y") | table Date Field1 Field2 Field3
| untable Date Fields Value
| stats min(Value) as Min max(Value) as Max avg(Value) as Avg by Date Fields

View solution in original post

somesoni2 · ‎10-02-2017

Try like this

your base search
| eval Field1 = TS1-TS2
| eval Field2 = TS3-TS4
| eval Field3 = TS5- TS6
| eval Date = strftime(_time, "%m-%d-%Y") | table Date Field1 Field2 Field3
| untable Date Fields Value
| stats min(Value) as Min max(Value) as Max avg(Value) as Avg by Date Fields

shah_nishay · ‎10-02-2017

Awesome.. this solution worked !

How to create a table of eval fields along with stats

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas