Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a conditional stats search based on ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to write a conditional stats command based on a field value.
So for example:
I have a field called stat_command
Name, No., stat_command
Name1, 5, latest
Name2, 12, avg
Name3, 13, max
So for stat_command = latest, I want to run | stats latest(Number)
for stat_command = avg, I want to run | stats avg(Number)
Is there a way to do this in a search-efficient way without doing many appends?
I have tried using macros, map, and case statements but have not had much luck.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
As i had to split by a number of fields, including the Name field, we were able to do the following:
| stats latest(Value) AS latest_value
avg(Value) AS avg_value
max(Value) AS max_value
min(Value) AS min_value
count(Value) AS count_value
BY Name
| eval value=case(stats_command="latest", latest_value,
stats_command="avg", avg_value,
stats_command="min", min_value,
stats_command="max", max_value,
stats_command="count", count_value,
1=1, Value)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
As i had to split by a number of fields, including the Name field, we were able to do the following:
| stats latest(Value) AS latest_value
avg(Value) AS avg_value
max(Value) AS max_value
min(Value) AS min_value
count(Value) AS count_value
BY Name
| eval value=case(stats_command="latest", latest_value,
stats_command="avg", avg_value,
stats_command="min", min_value,
stats_command="max", max_value,
stats_command="count", count_value,
1=1, Value)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ronny_wang If your problem is resolved, please accept an answer to help future readers.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ronny_wang,
Does this approach work for you ?
| eventstats latest(No) as _latest,avg(No) as _avg,max(No) as _Max
| eval value=case(stat_command=="latest",_latest,stat_command=="avg",_avg,stat_command=="max",_Max)
Get all types of aggregate values using stats and select only the value based on your condition
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, As i had to split by a number of fields, including the name field, I was able to solve this with the following
| stats latest(Value) AS latest_value
avg(Value) AS avg_value
max(Value) AS max_value
min(Value) AS min_value
count(Value) AS count_value
latest(_time) AS event_time_epoch
BY Name
| eval metric_value=case(stats_command="latest", latest_value,
stats_command="avg", avg_value,
stats_command="min", min_value,
stats_command="max", max_value,
stats_command="count", count_value,
1=1, Value)
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
Index This | How many sevens are there between 1 and 100?
