Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use Stats command ?

m7787580
Explorer
‎07-03-2017 08:29 AM

Hi Splunker,

I have a logs which has
Defect ID ,Actual Fix Time Taken,Detected By,Priority.

I would like to calculate maximum value of Actual Fix time taken by each Priority and simultaneously i would like to see the Defect Id as well
My output should look like that

Priority    Defect ID   Detected by Maximum Actual Fix time(In days)
P1           1234            x                 2
P2           767              Y                5
P3           122              z                20
P4           3526            T                 67

Note:- Actual Fix time means time taken to fix the defect and here i would like to know the Defect ID for which maximum time taken to close that defect against each priority.

I tried using below mentioned query

source="Jcaps_Logs.csv" index="jcaps" sourcetype="csv"

| fillnull value=NULL "Actual Fix Time"
| search "Actual Fix Time"!=NULL
| stats max("Actual Fix Time") as maxy by "Priority","Defect ID"

Thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-03-2017 08:53 AM

Try like this

source="Jcaps_Logs.csv" index="jcaps" sourcetype="csv"
| fillnull value=-1 "Actual Fix Time" 
| sort 0 Priority -"Actual Fix Time"
| dedup Priority
| table Priority "Defect ID" "Detected By" "Actual Fix Time" 
| eval "Actual Fix Time"=if('Actual Fix Time'=-1,"NULL",'Actual Fix Time")
| rename "Actual Fix Time" as "Maximum Actual Fix time(In days)"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-03-2017 08:53 AM

Try like this

source="Jcaps_Logs.csv" index="jcaps" sourcetype="csv"
| fillnull value=-1 "Actual Fix Time" 
| sort 0 Priority -"Actual Fix Time"
| dedup Priority
| table Priority "Defect ID" "Detected By" "Actual Fix Time" 
| eval "Actual Fix Time"=if('Actual Fix Time'=-1,"NULL",'Actual Fix Time")
| rename "Actual Fix Time" as "Maximum Actual Fix time(In days)"
Reply
Solved! Jump to solution

m7787580
Explorer
‎07-05-2017 01:36 AM

Many thanks somesoni2

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

What's New in Splunk Observability - July 2025

What’s New?  We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what ...
Top