Splunk Search
Highlighted

How to add a static column to a table with dynamically search result

New Member

I have a search successfully generate a dynamic table BUT I couldn't add a static column called baseline:

I tried to use below search to add baseline according to apiName, but couldn't get it to produce the result:

index=* sourcetype=log 
|eval baseline=case(apiName=="apiA_MS",200,apiName=="apiB_MS",300,apiName=="apiC_MS",400)
| eval temp=1 
| table api*MS 
| untable temp apiName response_time  
| stats avg(response_time) as avg_ms, max(response_time) as max_ms, min(response_time) as min_ms by apiName 
|table apiName, baseline,avg_ms,max_ms,min_ms
| eval avg_ms=round(avg_ms)

I want to see result as below with baseline added

apiName      baseline     avg_ms      max_ms                 min_ms
apiA_MS      200          100         200                    50
apiB_MS      300          250         350                    100
apiC_MS      400          350         500                    200

Appreciate your help.

0 Karma
Highlighted

Re: How to add a static column to a table with dynamically search result

SplunkTrust
SplunkTrust

The stats command is throwing away the baseline field. Try using eventstats, instead.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to add a static column to a table with dynamically search result

Legend

Create the baseline field on;y after you have performed stats and got your desired results. You are not using baseline prior to the stats anyways.

 <Your Base Search>
| stats avg(response_time) as avg_ms, max(response_time) as max_ms, min(response_time) as min_ms by apiName
| eval baseline=case(apiName=="apiA_MS",200,apiName=="apiB_MS",300,apiName=="apiC_MS",400)
 | <Your remaining search>



| eval message="Happy Splunking!!!"


View solution in original post

0 Karma
Highlighted

Re: How to add a static column to a table with dynamically search result

New Member

Cool. Thanks for the help.

0 Karma
Highlighted

Re: How to add a static column to a table with dynamically search result

Legend

@bing_zheng@intuit.com... Anytime 🙂




| eval message="Happy Splunking!!!"


0 Karma