Solved: Re: How to display a single value in my search res...

maximusdm · ‎02-16-2017

hi all, this is my search, sorry newbie here:

source=*DT* index=index001
| dedup _raw  
| convert rmcomma("duration")           
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")         
| eventstats sum("duration") as Ads   
| eval amount= tostring(Ads, "commas")  
| eval results = previous_month + ": " + amount + " (previous month)" 
| table results

Results are:
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
... with hundreds of pages

Results show correct final number but it displays in multiple rows. I just need to show one single result.

Thank you

coltwanger · ‎02-16-2017

Try using stats instead of eventstats.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eventstats

"The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event."

View solution in original post

coltwanger · ‎02-16-2017

Try using stats instead of eventstats.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eventstats

"The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event."

maximusdm · ‎02-16-2017

well that is what I need help with 🙂 I tried using stats already and was not able to display a single string just like the one in my sample with eventstats. I am very new to this SPL thing.
how do I format "Ads" with commas plus the addition of string "previous month"?
| stats sum("duration") as Ads

coltwanger · ‎02-16-2017

Try this:

| stats sum(duration) as Ads
| eval amount=tostring(Ads, "commas")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eval results = previous_month + ": " + amount + " (previous month)"
| table results

maximusdm · ‎02-16-2017

thanks mans. I was putting this line before the stats command:
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")

and that was giving me an error. Not sure why it would matter - thanks again

coltwanger · ‎02-16-2017

When you use stats, you're returning statistics over the fields that you explicitly specify with the stats command. All other fields before stats are lost in the transaction if they aren't specified in your stats statement.

Because you evaluated a new field "previous_month" prior to the stats command, but didn't actually use it in stats, Splunk considers that field as gone. When you attempt to later call that field out (eval results = previous_month...), Splunk has no recollection of that field anymore because it was generated prior to stats and itself was not sent through stats, so it didn't appear on the other side.

I admit it's kind of tricky, but you'll get the hang of it 🙂

maximusdm · ‎02-16-2017

aww I see it. Thanks for the explanation!!! Cheers!

How to display a single value in my search results?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life