Splunk Search

How to display a single value in my search results?

Communicator

hi all, this is my search, sorry newbie here:

source=*DT* index=index001
| dedup _raw  
| convert rmcomma("duration")           
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")         
| eventstats sum("duration") as Ads   
| eval amount= tostring(Ads, "commas")  
| eval results = previous_month + ": " + amount + " (previous month)" 
| table results

Results are:
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
... with hundreds of pages

Results show correct final number but it displays in multiple rows. I just need to show one single result.

Thank you

Tags (3)
0 Karma
1 Solution

Contributor

Try using stats instead of eventstats.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eventstats

"The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event."

View solution in original post

0 Karma

Contributor

Try using stats instead of eventstats.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eventstats

"The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event."

View solution in original post

0 Karma

Communicator

well that is what I need help with 🙂 I tried using stats already and was not able to display a single string just like the one in my sample with eventstats. I am very new to this SPL thing.
how do I format "Ads" with commas plus the addition of string "previous month"?
| stats sum("duration") as Ads

0 Karma

Contributor

Try this:

| stats sum(duration) as Ads
| eval amount=tostring(Ads, "commas")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eval results = previous_month + ": " + amount + " (previous month)"
| table results
0 Karma

Communicator

thanks mans. I was putting this line before the stats command:
| eval previousmonth = strftime(relativetime(now(), "-1mon"), "%b")

and that was giving me an error. Not sure why it would matter - thanks again

0 Karma

Contributor

When you use stats, you're returning statistics over the fields that you explicitly specify with the stats command. All other fields before stats are lost in the transaction if they aren't specified in your stats statement.

Because you evaluated a new field "previousmonth" prior to the stats command, but didn't actually use it in stats, Splunk considers that field as gone. When you attempt to later call that field out (eval results = previousmonth...), Splunk has no recollection of that field anymore because it was generated prior to stats and itself was not sent through stats, so it didn't appear on the other side.

I admit it's kind of tricky, but you'll get the hang of it 🙂

0 Karma

Communicator

aww I see it. Thanks for the explanation!!! Cheers!