Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use Stats command ?

m7787580
Explorer
‎07-03-2017 08:29 AM

Hi Splunker,

I have a logs which has
Defect ID ,Actual Fix Time Taken,Detected By,Priority.

I would like to calculate maximum value of Actual Fix time taken by each Priority and simultaneously i would like to see the Defect Id as well
My output should look like that

Priority    Defect ID   Detected by Maximum Actual Fix time(In days)
P1           1234            x                 2
P2           767              Y                5
P3           122              z                20
P4           3526            T                 67

Note:- Actual Fix time means time taken to fix the defect and here i would like to know the Defect ID for which maximum time taken to close that defect against each priority.

I tried using below mentioned query

source="Jcaps_Logs.csv" index="jcaps" sourcetype="csv"

| fillnull value=NULL "Actual Fix Time"
| search "Actual Fix Time"!=NULL
| stats max("Actual Fix Time") as maxy by "Priority","Defect ID"

Thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎07-03-2017 08:53 AM

Try like this

source="Jcaps_Logs.csv" index="jcaps" sourcetype="csv"
| fillnull value=-1 "Actual Fix Time" 
| sort 0 Priority -"Actual Fix Time"
| dedup Priority
| table Priority "Defect ID" "Detected By" "Actual Fix Time" 
| eval "Actual Fix Time"=if('Actual Fix Time'=-1,"NULL",'Actual Fix Time")
| rename "Actual Fix Time" as "Maximum Actual Fix time(In days)"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎07-03-2017 08:53 AM

Try like this

source="Jcaps_Logs.csv" index="jcaps" sourcetype="csv"
| fillnull value=-1 "Actual Fix Time" 
| sort 0 Priority -"Actual Fix Time"
| dedup Priority
| table Priority "Defect ID" "Detected By" "Actual Fix Time" 
| eval "Actual Fix Time"=if('Actual Fix Time'=-1,"NULL",'Actual Fix Time")
| rename "Actual Fix Time" as "Maximum Actual Fix time(In days)"
Reply
Solved! Jump to solution

m7787580
Explorer
‎07-05-2017 01:36 AM

Many thanks somesoni2

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...