Splunk Search
Highlighted

How to display a single value in my search results?

Communicator

hi all, this is my search, sorry newbie here:

source=*DT* index=index001
| dedup _raw  
| convert rmcomma("duration")           
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")         
| eventstats sum("duration") as Ads   
| eval amount= tostring(Ads, "commas")  
| eval results = previous_month + ": " + amount + " (previous month)" 
| table results

Results are:
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
... with hundreds of pages

Results show correct final number but it displays in multiple rows. I just need to show one single result.

Thank you

Tags (3)
0 Karma
Highlighted

Re: How to display a single value in my search results?

Contributor

Try using stats instead of eventstats.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eventstats

"The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event."

View solution in original post

0 Karma
Highlighted

Re: How to display a single value in my search results?

Communicator

well that is what I need help with 🙂 I tried using stats already and was not able to display a single string just like the one in my sample with eventstats. I am very new to this SPL thing.
how do I format "Ads" with commas plus the addition of string "previous month"?
| stats sum("duration") as Ads

0 Karma
Highlighted

Re: How to display a single value in my search results?

Contributor

Try this:

| stats sum(duration) as Ads
| eval amount=tostring(Ads, "commas")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eval results = previous_month + ": " + amount + " (previous month)"
| table results
0 Karma
Highlighted

Re: How to display a single value in my search results?

Communicator

thanks mans. I was putting this line before the stats command:
| eval previousmonth = strftime(relativetime(now(), "-1mon"), "%b")

and that was giving me an error. Not sure why it would matter - thanks again

0 Karma
Highlighted

Re: How to display a single value in my search results?

Contributor

When you use stats, you're returning statistics over the fields that you explicitly specify with the stats command. All other fields before stats are lost in the transaction if they aren't specified in your stats statement.

Because you evaluated a new field "previousmonth" prior to the stats command, but didn't actually use it in stats, Splunk considers that field as gone. When you attempt to later call that field out (eval results = previousmonth...), Splunk has no recollection of that field anymore because it was generated prior to stats and itself was not sent through stats, so it didn't appear on the other side.

I admit it's kind of tricky, but you'll get the hang of it 🙂

0 Karma
Highlighted

Re: How to display a single value in my search results?

Communicator

aww I see it. Thanks for the explanation!!! Cheers!