Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add a summary row to a statistics table

dbcase
Motivator
‎08-29-2016 09:22 AM

Hi,

I have this search:

index=mso_statistics sourcetype=ic_connectivity_5min-too_small stat_name = "cell" |eval mso = upper(substr(mso,1,1)).lower(substr(mso,2)) |stats sparkline(avg(stat_val)) as "Trend" first(stat_val) as "Current Cell Connectivity %" by mso|rename mso as "MSO - Click for Expanded View"

Which produces this Statistics Table (first column intentionally omitted)
alt text

What I'd like to do is append to the table at the bottom a row that indicates Avg, mean, etc of the data. I've tired append and appendpipe but the data never seems to display. (note: I've never used append or appendpipe before so it is VERY likely it is something I'm doing wrong)

Preview file
27 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-29-2016 09:40 AM

Try moving the appendpipe to after the stats command. Like this

 index=mso_statistics sourcetype=ic_connectivity_5min-too_small stat_name = "cell" |eval mso = upper(substr(mso,1,1)).lower(substr(mso,2)) |stats sparkline(avg(stat_val)) as "Trend" first(stat_val) as "Current Cell Connectivity %" by mso |appendpipe [stats avg(stat_val) as "Current Cell Connectivity %" | eval mso = "ALL MSO's"] |rename mso as "MSO - Click for Expanded View"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-29-2016 09:40 AM

Try moving the appendpipe to after the stats command. Like this

 index=mso_statistics sourcetype=ic_connectivity_5min-too_small stat_name = "cell" |eval mso = upper(substr(mso,1,1)).lower(substr(mso,2)) |stats sparkline(avg(stat_val)) as "Trend" first(stat_val) as "Current Cell Connectivity %" by mso |appendpipe [stats avg(stat_val) as "Current Cell Connectivity %" | eval mso = "ALL MSO's"] |rename mso as "MSO - Click for Expanded View"
0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎08-29-2016 09:44 AM

Hi Sundareshr,

I tried that one as well hoping it would do the trick but when I do the resulting table doesn't have any of the entries.

Meaning, no average and no "ALL MSO's" in the first column. I only got the ALL MSO's to show up when I put the appendpipe before the stats command

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-29-2016 09:48 AM

Then try this..

 index=mso_statistics sourcetype=ic_connectivity_5min-too_small stat_name = "cell" |eval mso = upper(substr(mso,1,1)).lower(substr(mso,2)) |stats sparkline(avg(stat_val)) as "Trend" first(stat_val) as "Current Cell Connectivity %" by mso |append [search index=mso_statistics sourcetype=ic_connectivity_5min-too_small stat_name = "cell" |eval mso = upper(substr(mso,1,1)).lower(substr(mso,2))  
 stats avg(stat_val) as "Current Cell Connectivity %" | eval mso = "ALL MSO's"] |rename mso as "MSO - Click for Expanded View"
Reply
Solved! Jump to solution

dbcase
Motivator
‎08-29-2016 09:53 AM

BINGO!!!! Thank you Sundareshr!!!!

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎08-29-2016 09:32 AM

updated query, a bit closer but still not quite there

This one does get an entry into the first column (the one that was omitted) but no entry in the last column 

index=mso_statistics sourcetype=ic_connectivity_5min-too_small stat_name = "cell" |eval mso = upper(substr(mso,1,1)).lower(substr(mso,2)) |appendpipe [stats avg(stat_val) as "Current Cell Connectivity %" | eval mso = "ALL MSO's"]|stats sparkline(avg(stat_val)) as "Trend" first(stat_val) as "Current Cell Connectivity %" by mso|rename mso as "MSO - Click for Expanded View"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...