Splunk Search

Add field post stats and transpose commands

ebs
Communicator

Hi, 

I want my data presented in a very specific way, which means I can't go the typical route of just adding the field I want presented after the by in my stats command as I'm using transpose on the header fields.

I can't use eventstats because that completely messes up my stats table.

This is the search:

| datamodel Test summariesonly=true search
| search "TEST.date"=2021-05-18| rename "TEST.date" as date
| rename "TEST.uri_path" as uri_path
| eval category=case(like(uri_path, "/url1), "highPriority", uri_path="/url2", "unattended",
uri_path="/url3, "lowPriority", uri_path="/url4", "largePayload")
| rename "TEST.response_time" as response_time
| stats avg(response_time) by category
| rename avg(response_time) as averageResponse
| eval averageResponse=round(averageResponse,3)
| transpose 0 header_field=category
| fillnull value=0 highPriority, lowPriority, largePayload, unattended
| fields highPriority, lowPriority, largePayload, unattended, date

I want to be able to fill my date field with the previously defined date field

Labels (4)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do 

| fillnull value=0 highPriority, lowPriority, largePayload, unattended 
| eval date="2021-05-18"
| fields highPriority, lowPriority, largePayload, unattended, date

but I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with 

| eval date=$date|s$

or you could do this after the round

| eval averageResponse=round(averageResponse,3)
| append [
  | makeresults 
  | fields - _time
  | eval category="date", averageResponse="2021-05-18"
]

again, depending on where your condition is coming from, the same issue applies.

Note a couple of tips for your existing SPL. 

You can do this

| rename "TEST.*" as *

and

| stats avg(response_time) as averageResponse by category

so you don't have to do the other separate renames

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do 

| fillnull value=0 highPriority, lowPriority, largePayload, unattended 
| eval date="2021-05-18"
| fields highPriority, lowPriority, largePayload, unattended, date

but I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with 

| eval date=$date|s$

or you could do this after the round

| eval averageResponse=round(averageResponse,3)
| append [
  | makeresults 
  | fields - _time
  | eval category="date", averageResponse="2021-05-18"
]

again, depending on where your condition is coming from, the same issue applies.

Note a couple of tips for your existing SPL. 

You can do this

| rename "TEST.*" as *

and

| stats avg(response_time) as averageResponse by category

so you don't have to do the other separate renames

 

ebs
Communicator

It is a token, so thank you but something weird happens when I have the command | eval date-$date 

It comes up in my table as 1998 and I have no idea why because the correlating values from my first enterance of that date is accurate.

Please advise

Tags (1)
0 Karma

ebs
Communicator

Figured it out, I needed quotations around the token or it would have taken it as a mathematical expression

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@ebs 

Note the syntax I used in my original regarding use of tokens 

| eval date=$date|s$

The |s (pipe s) before the closing $ sign is an instruction to the token handler as to how to represent the token.

See this link

https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/tokens#Syntax_to_consume_tokens

which shows what | token commands are available and how they affect token usage.

Using this

| eval date="$date$"

is the same when using the token in a dashboard, but there are subtle differences in how the |s syntax works compared to simple quoting when using the token in Javascript.

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...