Solved: How to create a new field out of some evaluated da...

moizmmz · ‎03-06-2019

Hello,

So here's my Query:

index=video-eng-live | rename message.timestamp as time | eval time=strftime(time/1000, "%m-%d-%Y %H:%M:%S") | dedup message.concurrent_sessions, time | stats sum(message.concurrent_sessions) as "Concurrent Sessions" by message.account | addcoltotals labelfield=message.account label="Total"

After I calculate the 'sum(message.concurrent_sessions)' I want to make a new field called 'Concurrent Sessions' out of it. How could I do that? I suppose it would have to be a combination of stats and eval but I just can't seem to get it right. Please help!

vinod94 · ‎03-06-2019

Hi dyude @moizmmz ,

Could you please explain more a bit about it so that we can have a clear picture or can you share some sample logs?

I think you are looking for something like this...

Your search | stats count(eval( Your Condtion )) as test by message.account

View solution in original post

cvssravan · ‎03-06-2019

@moizmmz
try this: I think for this scenario you may have to use eventstats. It will calculate the sum of concurrent sessions by account into a new field as you require. Hope it helps

index=video-eng-live | rename message.timestamp as time | eval time=strftime(time/1000, "%m-%d-%Y %H:%M:%S") | dedup message.concurrent_sessions, time | eventstats sum(message.concurrent_sessions) as "Concurrent Sessions" by message.account | addcoltotals labelfield=message.account label="Total"

moizmmz · ‎03-06-2019

Perfect! Thank you!

vinod94 · ‎03-06-2019

Hi dyude @moizmmz ,

Could you please explain more a bit about it so that we can have a clear picture or can you share some sample logs?

I think you are looking for something like this...

Your search | stats count(eval( Your Condtion )) as test by message.account

moizmmz · ‎03-06-2019

Sure, so the field: message.concurrent_sessions has different values in it which tell us the number of concurrent sessions. An image of which is below:
https://drive.google.com/open?id=1L-6q9Mlg5yrrZCWlc2xF8J0R523lqyro

As shown in the query, I'm doing stats sum(message.concurrent_sessions) and renaming the resulting tabular column as "Concurrent Sessions". But instead of just a tabular column, I want a whole new field which has the resulting values (that Concurrent Sessions has) in it.

I know it's stats sum(eval(condition)), but no matter what I try, Splunk says it's an error. Need to frame it right.

Here's the raw text of one log:
{"message": {"account": "fox_nation", "title": "Fox News Talk Radio | Public", "timestamp": 1549440027975, "channelID": "f12a9d64997042498dbb8cbe1560355d", "missing_content_slate": 2, "concurrent_sessions": 2}}

vinod94 · ‎03-06-2019

@moizmmz ,

Try this ,

index=video-eng-live | rename message.timestamp as time | eval time=strftime(time/1000, "%m-%d-%Y %H:%M:%S") | dedup message.concurrent_sessions, time | eventstats sum(message.concurrent_sessions) as "New Concurrent Sessions" by message.account |

and check the fields .. der should be a "New Concurrent Sessions" field

Let me know if it works!

moizmmz · ‎03-06-2019

Perfect!! Thank you!!!

How to create a new field out of some evaluated data?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!