Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a table of eval fields along with stats

shah_nishay
Engager
‎10-02-2017 09:45 AM

I have a query where I eval 3 fields by substracting different timestamps

eval Field1 = TS1-TS2
eval Field2 = TS3-TS4
eval Field3 = TS5- TS6
eval Date = strftime(_time, "%m-%d-%Y")
Next I use the stats command to calculate count, min,max,average for these 3 evaluated Fields by date.

If use stats count(Field1), count(Field2),count(Field3) by Date then I end up with all the values in same row.
How can i get these stats for each Fields in different line ?
i.e my out put should look like :

Date,Fields,Min,Max,Avg
10/2/2017, Field1,5,10,8
10/2/2017, Field2,15,110,30
10/2/2017, Field3,11,102,58
10/3/2017, Field1,15,110,28
10/3/2017, Field2,25,210,100
10/3/2017, Field3,12,110,60

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-02-2017 10:10 AM

Try like this

your base search
| eval Field1 = TS1-TS2
| eval Field2 = TS3-TS4
| eval Field3 = TS5- TS6
| eval Date = strftime(_time, "%m-%d-%Y") | table Date Field1 Field2 Field3
| untable Date Fields Value
| stats min(Value) as Min max(Value) as Max avg(Value) as Avg by Date Fields

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-02-2017 10:10 AM

Try like this

your base search
| eval Field1 = TS1-TS2
| eval Field2 = TS3-TS4
| eval Field3 = TS5- TS6
| eval Date = strftime(_time, "%m-%d-%Y") | table Date Field1 Field2 Field3
| untable Date Fields Value
| stats min(Value) as Min max(Value) as Max avg(Value) as Avg by Date Fields
Reply
Solved! Jump to solution

shah_nishay
Engager
‎10-02-2017 11:14 AM

Awesome.. this solution worked !

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...