Splunk Search

Add field post stats and transpose commands

ebs
Communicator

Hi, 

I want my data presented in a very specific way, which means I can't go the typical route of just adding the field I want presented after the by in my stats command as I'm using transpose on the header fields.

I can't use eventstats because that completely messes up my stats table.

This is the search:

| datamodel Test summariesonly=true search
| search "TEST.date"=2021-05-18| rename "TEST.date" as date
| rename "TEST.uri_path" as uri_path
| eval category=case(like(uri_path, "/url1), "highPriority", uri_path="/url2", "unattended",
uri_path="/url3, "lowPriority", uri_path="/url4", "largePayload")
| rename "TEST.response_time" as response_time
| stats avg(response_time) by category
| rename avg(response_time) as averageResponse
| eval averageResponse=round(averageResponse,3)
| transpose 0 header_field=category
| fillnull value=0 highPriority, lowPriority, largePayload, unattended
| fields highPriority, lowPriority, largePayload, unattended, date

I want to be able to fill my date field with the previously defined date field

Labels (4)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do 

| fillnull value=0 highPriority, lowPriority, largePayload, unattended 
| eval date="2021-05-18"
| fields highPriority, lowPriority, largePayload, unattended, date

but I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with 

| eval date=$date|s$

or you could do this after the round

| eval averageResponse=round(averageResponse,3)
| append [
  | makeresults 
  | fields - _time
  | eval category="date", averageResponse="2021-05-18"
]

again, depending on where your condition is coming from, the same issue applies.

Note a couple of tips for your existing SPL. 

You can do this

| rename "TEST.*" as *

and

| stats avg(response_time) as averageResponse by category

so you don't have to do the other separate renames

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do 

| fillnull value=0 highPriority, lowPriority, largePayload, unattended 
| eval date="2021-05-18"
| fields highPriority, lowPriority, largePayload, unattended, date

but I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with 

| eval date=$date|s$

or you could do this after the round

| eval averageResponse=round(averageResponse,3)
| append [
  | makeresults 
  | fields - _time
  | eval category="date", averageResponse="2021-05-18"
]

again, depending on where your condition is coming from, the same issue applies.

Note a couple of tips for your existing SPL. 

You can do this

| rename "TEST.*" as *

and

| stats avg(response_time) as averageResponse by category

so you don't have to do the other separate renames

 

ebs
Communicator

It is a token, so thank you but something weird happens when I have the command | eval date-$date 

It comes up in my table as 1998 and I have no idea why because the correlating values from my first enterance of that date is accurate.

Please advise

Tags (1)
0 Karma

ebs
Communicator

Figured it out, I needed quotations around the token or it would have taken it as a mathematical expression

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@ebs 

Note the syntax I used in my original regarding use of tokens 

| eval date=$date|s$

The |s (pipe s) before the closing $ sign is an instruction to the token handler as to how to represent the token.

See this link

https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/tokens#Syntax_to_consume_tokens

which shows what | token commands are available and how they affect token usage.

Using this

| eval date="$date$"

is the same when using the token in a dashboard, but there are subtle differences in how the |s syntax works compared to simple quoting when using the token in Javascript.

 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...