Splunk Search

How to add a static column to a table with dynamically search result

bing_zheng
New Member

I have a search successfully generate a dynamic table BUT I couldn't add a static column called baseline:

I tried to use below search to add baseline according to apiName, but couldn't get it to produce the result:

index=* sourcetype=log 
|eval baseline=case(apiName=="apiA_MS",200,apiName=="apiB_MS",300,apiName=="apiC_MS",400)
| eval temp=1 
| table api*MS 
| untable temp apiName response_time  
| stats avg(response_time) as avg_ms, max(response_time) as max_ms, min(response_time) as min_ms by apiName 
|table apiName, baseline,avg_ms,max_ms,min_ms
| eval avg_ms=round(avg_ms)

I want to see result as below with baseline added

apiName      baseline     avg_ms      max_ms                 min_ms
apiA_MS      200          100         200                    50
apiB_MS      300          250         350                    100
apiC_MS      400          350         500                    200

Appreciate your help.

0 Karma
1 Solution

niketn
Legend

Create the baseline field on;y after you have performed stats and got your desired results. You are not using baseline prior to the stats anyways.

 <Your Base Search>
| stats avg(response_time) as avg_ms, max(response_time) as max_ms, min(response_time) as min_ms by apiName
| eval baseline=case(apiName=="apiA_MS",200,apiName=="apiB_MS",300,apiName=="apiC_MS",400)
 | <Your remaining search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

Create the baseline field on;y after you have performed stats and got your desired results. You are not using baseline prior to the stats anyways.

 <Your Base Search>
| stats avg(response_time) as avg_ms, max(response_time) as max_ms, min(response_time) as min_ms by apiName
| eval baseline=case(apiName=="apiA_MS",200,apiName=="apiB_MS",300,apiName=="apiC_MS",400)
 | <Your remaining search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bing_zheng
New Member

Cool. Thanks for the help.

0 Karma

niketn
Legend

@bing_zheng@intuit.com... Anytime 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The stats command is throwing away the baseline field. Try using eventstats, instead.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...