Splunk Search

How can I average a dynamic column created using eval {Field}=Value

Path Finder

I would like to display some data that has columns based on dynamic data from the search results.
e.g. Assuming I have a query to calculate which two servers have the most users logging into them. I can write a query to give me the data in the form of:

Date | ServerWithMostLogins |  ServerWithSecondToMostLogins

However, rather than calling the columns ServerWithMostLogins, I'd rename the column to the server's name.
I know I can use something like | eval {ServerName} but then I don't think I would be able to run stats over that column.
Is this possible?

Edit, for example, say I have this data in my search result:

Date=Today UserName=user1 ServerLoggedInto=Server23
Date=Today UserName=user45 ServerLoggedInto=Server33
Date=Today UserName=user11 ServerLoggedInto=Server23
Date=Today UserName=user11 ServerLoggedInto=Server23
etc

What I would like is to display which 2 servers have the most logins:

| Date    | Server23 | Server 33 |
+---------+----------+-----------+
| Today   | 3        | 1         |

I get most of this, the thing currently stumping me is how to get the ServerName as the column name.

0 Karma
1 Solution

Esteemed Legend

Like this:

... | chart count over host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval dummy="dummy" | chart first(count) AS count over dummy by host | fields - dummy

View solution in original post

Esteemed Legend

Like this:

... | chart count over host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval dummy="dummy" | chart first(count) AS count over dummy by host | fields - dummy

View solution in original post

Path Finder

Thanks for the suggestion. Your answer led me in the right direction.
The main important thing was learning that stats and chart may look identical, but they are very different.

I also used information from this answer as well: https://answers.splunk.com/answers/506/split-by-by-clause-of-chart-only-takes-2-dimensions-we-want-3...

0 Karma

Esteemed Legend

Given your clarification, this would be better (you must run timepicker on some subsection of Today😞

... | stats count BY host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval Date="Today" | chart first(count) AS count over Date BY host
0 Karma

Path Finder

Thanks, I'll try this

0 Karma

Splunk Employee
Splunk Employee

Can you expand on what the table you have looks like and what the table you want looks like ?

0 Karma

Path Finder

Added more information.

0 Karma