Splunk Search

Add field post stats and transpose commands

ebs
Communicator

Hi, 

I want my data presented in a very specific way, which means I can't go the typical route of just adding the field I want presented after the by in my stats command as I'm using transpose on the header fields.

I can't use eventstats because that completely messes up my stats table.

This is the search:

| datamodel Test summariesonly=true search
| search "TEST.date"=2021-05-18| rename "TEST.date" as date
| rename "TEST.uri_path" as uri_path
| eval category=case(like(uri_path, "/url1), "highPriority", uri_path="/url2", "unattended",
uri_path="/url3, "lowPriority", uri_path="/url4", "largePayload")
| rename "TEST.response_time" as response_time
| stats avg(response_time) by category
| rename avg(response_time) as averageResponse
| eval averageResponse=round(averageResponse,3)
| transpose 0 header_field=category
| fillnull value=0 highPriority, lowPriority, largePayload, unattended
| fields highPriority, lowPriority, largePayload, unattended, date

I want to be able to fill my date field with the previously defined date field

Labels (4)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do 

| fillnull value=0 highPriority, lowPriority, largePayload, unattended 
| eval date="2021-05-18"
| fields highPriority, lowPriority, largePayload, unattended, date

but I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with 

| eval date=$date|s$

or you could do this after the round

| eval averageResponse=round(averageResponse,3)
| append [
  | makeresults 
  | fields - _time
  | eval category="date", averageResponse="2021-05-18"
]

again, depending on where your condition is coming from, the same issue applies.

Note a couple of tips for your existing SPL. 

You can do this

| rename "TEST.*" as *

and

| stats avg(response_time) as averageResponse by category

so you don't have to do the other separate renames

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do 

| fillnull value=0 highPriority, lowPriority, largePayload, unattended 
| eval date="2021-05-18"
| fields highPriority, lowPriority, largePayload, unattended, date

but I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with 

| eval date=$date|s$

or you could do this after the round

| eval averageResponse=round(averageResponse,3)
| append [
  | makeresults 
  | fields - _time
  | eval category="date", averageResponse="2021-05-18"
]

again, depending on where your condition is coming from, the same issue applies.

Note a couple of tips for your existing SPL. 

You can do this

| rename "TEST.*" as *

and

| stats avg(response_time) as averageResponse by category

so you don't have to do the other separate renames

 

ebs
Communicator

It is a token, so thank you but something weird happens when I have the command | eval date-$date 

It comes up in my table as 1998 and I have no idea why because the correlating values from my first enterance of that date is accurate.

Please advise

Tags (1)
0 Karma

ebs
Communicator

Figured it out, I needed quotations around the token or it would have taken it as a mathematical expression

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@ebs 

Note the syntax I used in my original regarding use of tokens 

| eval date=$date|s$

The |s (pipe s) before the closing $ sign is an instruction to the token handler as to how to represent the token.

See this link

https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/tokens#Syntax_to_consume_tokens

which shows what | token commands are available and how they affect token usage.

Using this

| eval date="$date$"

is the same when using the token in a dashboard, but there are subtle differences in how the |s syntax works compared to simple quoting when using the token in Javascript.

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...