Re: How to create a stats table with field values ...

cmeyers · ‎03-08-2016

Hello! I am sure my wording is way more complicated than what I want. Basically, the end result being a stats table along the lines of:

And then the values filled in from there. The timespan in which I am looking at is 1 week. I was thinking using something along the lines of:

index=db device_type=router | timechart span=1d count | eventstats avg(count) as AvgLogCount, min(count) as Min, max(count) as Max

When I do this, there are X amount of rows that there are days, with the values matching the next row. I get why that is happening, but I want to turn it into each row listing a different Host, and the rest of the columns' value be of the respective host. Do I need something along the lines of:

 index=db device_type=router | timechart span=1d count | eventstats avg(count) as AvgLogCount by host, min(count) as Min by host, max(count) as Max by host

I think that is on the right track, but it doesn't return anything. Any help would be greatly appreciated! And hopefully my wording makes sense.

Thank you!

woodcock · ‎03-12-2016

Like this:

index=db device_type=router | timechart span=1d count by host | stats avg(count) AvgLogCount min(count) AS Min_Total max(count) AS Max_Total | rename host AS Host

somesoni2 · ‎03-08-2016

If you're looking for per week stats (like avg log count per week, min/max by week), then try something like this

 index=db device_type=router | bucket span=1w _time | stats count  by _time host | stats avg(count) as AvgLogCount min(count) as Min max(count) as Max by host

How to create a stats table with field values based off of other fields in same stats table?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk