Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I average a dynamic column created using eval {Field}=Value

chustar
Path Finder
‎11-05-2015 12:23 PM

I would like to display some data that has columns based on dynamic data from the search results.
e.g. Assuming I have a query to calculate which two servers have the most users logging into them. I can write a query to give me the data in the form of: 

Date | ServerWithMostLogins |  ServerWithSecondToMostLogins

However, rather than calling the columns ServerWithMostLogins, I'd rename the column to the server's name.
I know I can use something like | eval {ServerName} but then I don't think I would be able to run stats over that column.
Is this possible?

Edit, for example, say I have this data in my search result:

Date=Today UserName=user1 ServerLoggedInto=Server23
Date=Today UserName=user45 ServerLoggedInto=Server33
Date=Today UserName=user11 ServerLoggedInto=Server23
Date=Today UserName=user11 ServerLoggedInto=Server23
etc

What I would like is to display which 2 servers have the most logins:

| Date    | Server23 | Server 33 |
+---------+----------+-----------+
| Today   | 3        | 1         |

I get most of this, the thing currently stumping me is how to get the ServerName as the column name.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-05-2015 12:46 PM

Like this:

... | chart count over host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval dummy="dummy" | chart first(count) AS count over dummy by host | fields - dummy

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-05-2015 12:46 PM

Like this:

... | chart count over host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval dummy="dummy" | chart first(count) AS count over dummy by host | fields - dummy
Reply
Solved! Jump to solution

chustar
Path Finder
‎11-06-2015 12:25 PM

Thanks for the suggestion. Your answer led me in the right direction.
The main important thing was learning that stats and chart may look identical, but they are very different.

I also used information from this answer as well: https://answers.splunk.com/answers/506/split-by-by-clause-of-chart-only-takes-2-dimensions-we-want-3...

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-05-2015 01:07 PM

Given your clarification, this would be better (you must run timepicker on some subsection of Today😞

... | stats count BY host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval Date="Today" | chart first(count) AS count over Date BY host
0 Karma
Reply
Solved! Jump to solution

chustar
Path Finder
‎11-06-2015 09:49 AM

Thanks, I'll try this

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-05-2015 12:40 PM

Can you expand on what the table you have looks like and what the table you want looks like ?

0 Karma
Reply
Solved! Jump to solution

chustar
Path Finder
‎11-05-2015 12:55 PM

Added more information.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top