Splunk Search

Add field post stats and transpose commands

ebs
Communicator

Hi, 

I want my data presented in a very specific way, which means I can't go the typical route of just adding the field I want presented after the by in my stats command as I'm using transpose on the header fields.

I can't use eventstats because that completely messes up my stats table.

This is the search:

| datamodel Test summariesonly=true search
| search "TEST.date"=2021-05-18| rename "TEST.date" as date
| rename "TEST.uri_path" as uri_path
| eval category=case(like(uri_path, "/url1), "highPriority", uri_path="/url2", "unattended",
uri_path="/url3, "lowPriority", uri_path="/url4", "largePayload")
| rename "TEST.response_time" as response_time
| stats avg(response_time) by category
| rename avg(response_time) as averageResponse
| eval averageResponse=round(averageResponse,3)
| transpose 0 header_field=category
| fillnull value=0 highPriority, lowPriority, largePayload, unattended
| fields highPriority, lowPriority, largePayload, unattended, date

I want to be able to fill my date field with the previously defined date field

Labels (4)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do 

| fillnull value=0 highPriority, lowPriority, largePayload, unattended 
| eval date="2021-05-18"
| fields highPriority, lowPriority, largePayload, unattended, date

but I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with 

| eval date=$date|s$

or you could do this after the round

| eval averageResponse=round(averageResponse,3)
| append [
  | makeresults 
  | fields - _time
  | eval category="date", averageResponse="2021-05-18"
]

again, depending on where your condition is coming from, the same issue applies.

Note a couple of tips for your existing SPL. 

You can do this

| rename "TEST.*" as *

and

| stats avg(response_time) as averageResponse by category

so you don't have to do the other separate renames

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do 

| fillnull value=0 highPriority, lowPriority, largePayload, unattended 
| eval date="2021-05-18"
| fields highPriority, lowPriority, largePayload, unattended, date

but I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with 

| eval date=$date|s$

or you could do this after the round

| eval averageResponse=round(averageResponse,3)
| append [
  | makeresults 
  | fields - _time
  | eval category="date", averageResponse="2021-05-18"
]

again, depending on where your condition is coming from, the same issue applies.

Note a couple of tips for your existing SPL. 

You can do this

| rename "TEST.*" as *

and

| stats avg(response_time) as averageResponse by category

so you don't have to do the other separate renames

 

ebs
Communicator

It is a token, so thank you but something weird happens when I have the command | eval date-$date 

It comes up in my table as 1998 and I have no idea why because the correlating values from my first enterance of that date is accurate.

Please advise

Tags (1)
0 Karma

ebs
Communicator

Figured it out, I needed quotations around the token or it would have taken it as a mathematical expression

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@ebs 

Note the syntax I used in my original regarding use of tokens 

| eval date=$date|s$

The |s (pipe s) before the closing $ sign is an instruction to the token handler as to how to represent the token.

See this link

https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/tokens#Syntax_to_consume_tokens

which shows what | token commands are available and how they affect token usage.

Using this

| eval date="$date$"

is the same when using the token in a dashboard, but there are subtle differences in how the |s syntax works compared to simple quoting when using the token in Javascript.

 

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...