Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create a new field with categorical values for visualization

CarbonCriterium
Path Finder
‎08-25-2020 08:34 AM

I would like to create a new field, FlagSC,  based on the value of sc_status.  The new field should have a value of "OK"  when the status is 200, or a value of "Other" for all other statuses.   I intend to use this in a bubble chart with colors based on FlagSC

In theory,  if every cs_uri_stem has at least one event that is status 200 and at least one event that is something else, this could duplicate the number of rows in the output table.

I have tried variations of the code below:

...base search...

| stats values(eval(if(sc_status==200,"OK","Other"))) AS FlagSC, 
 avg(eval(time_taken)) AS avg_tt,  
 avg(eval(sc_bytes)) AS avg_bytes,
 count(eval(source)) AS NumTransactions,  
 BY cs_uri_stem 

| table FlagSC, avg_tt, avg_bytes, NumTransactions 

| rename avg_bytes AS "Average Bytes Returned" avg_tt AS "Average Time in Milliseconds" NumTransactions AS "# of Transactions"

 

Ultimately, the goal is to have something that might resemble  the following and does NOT include any rows where FlagSC is "OKOther"

cs_uri_stemFlagSCavg_ttavg_bytesNumTransactions
foo/OK.........
foo/Other.........
bar/OK.........
bar/Other.........

 

Labels (4)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2020 09:35 AM

Don't you just need to move FlagSC outside of stats, and add it to your BY clause?

...base search...

| eval FlagSC=if(sc_status==200,"OK","Other") 
| stats avg(eval(time_taken)) AS avg_tt,  
 avg(eval(sc_bytes)) AS avg_bytes,
 count(eval(source)) AS NumTransactions,  
 BY cs_uri_stem, FlagSC 

| table cs_uri_stem, FlagSC, avg_tt, avg_bytes, NumTransactions 

| rename avg_bytes AS "Average Bytes Returned" avg_tt AS "Average Time in Milliseconds" NumTransactions AS "# of Transactions"

 

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...