Splunk Search

How do you display AVG, MIN, and MAX as row headers by Service?

cmcdole
Path Finder

I have several services that I need to calculate Avg/min/max for.

{basesearch} | stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max", values(JBossService) as JBoss_Service by JBossService

I need the display to look something like this.

         Service1|Service2|Service3|Service4
Avg  ____###__|__###__|__##____|__##____
Min  ____###__|__###__|__##____|__##____
Max  ____###__|__###__|__##____|__##____

Please help!! Thanks 🙂

Tags (1)
0 Karma
1 Solution

niketn
Legend

@cmcdole try the following with transpose command with limit=0 to invert all rows as columns and columns as rows:

{basesearch} 
| stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max" by JBossService
| transpose 0 header_field=JBossService column_name=JBossService

Following is a run anywhere search based on Splunk's _internal index:

index=_internal sourcetype=splunkd log_level!=INFO
| stats avg(date_second) as Avg min(date_second) as Min max(date_second) as Max by component
| transpose 0 header_field=component column_name=component
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

isachse
Explorer

Have a look to the untable command. That might be a good solution.

0 Karma

niketn
Legend

@cmcdole try the following with transpose command with limit=0 to invert all rows as columns and columns as rows:

{basesearch} 
| stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max" by JBossService
| transpose 0 header_field=JBossService column_name=JBossService

Following is a run anywhere search based on Splunk's _internal index:

index=_internal sourcetype=splunkd log_level!=INFO
| stats avg(date_second) as Avg min(date_second) as Min max(date_second) as Max by component
| transpose 0 header_field=component column_name=component
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cmcdole
Path Finder

This worked perfectly!! Thanks!

0 Karma

solarboyz1
Builder

Try using the chart function:

You can specify which field is tracked on the x-axis of the chart. The x-axis variable is specified with a by field and is discretized if necessary. Charted fields are converted to numerical quantities if necessary.
(https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Chart)

... | chart avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max", values(JBossService) as JBoss_Service by JBossService
0 Karma
Get Updates on the Splunk Community!

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...