- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- InnerSearch not creating columns with eventstats
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
InnerSearch not creating columns with eventstats
I want to get the result and divide it into three sections as three-column such as last 15 min result, avg of 7 day and avg of one day. I have used below search but somehow I am getting values in only two columns i.e. product and sevenDayAvg. Two other column 'oneDayAvg' and 'quantity1' is coming as blank.
Below is my search:
index="in" daysago=7 "Product" AND "TotalQTY" | rex field=_raw "Product:(?<Product>[0-9]{5,15}),TotalQTY:(?<quantity>[0-9]{1,5})"
| eventstats sum(quantity) as totalsale BY Product |eval sevenDayAvg=totalsale/672 | append [search index=hybris_prod host=dep-prd-db-monitoring daysago=1 "Product" AND "TotalQTY" | rex field=_raw "Product:(?<Product>[0-9]{5,15}),TotalQTY:(?<quantity>[0-9]{1,5})"
| eventstats sum(quantity) as totalsale BY Product |eval oneDayAvg=totalsale/96] | append [search index=hybris_prod host=dep-prd-db-monitoring earliest=-15m@m now() "Product" AND "TotalQTY" | rex field=_raw "Product:(?<Product>[0-9]{5,15}),TotalQTY:(?<quantity1>[0-9]{1,5})" ] | dedup Product | table Product,quantity1,oneDayAvg,sevenDayAvg
Please note all three searches are working fine if I use them individually.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
(index="in" daysago=7 "Product" AND "TotalQTY") OR
(index=hybris_prod host=dep-prd-db-monitoring daysago=1) OR
(index=hybris_prod host=dep-prd-db-monitoring earliest=-15m@m latest=now "Product" AND "TotalQTY")
| rex field=_raw "Product:(?<Product>[0-9]{5,15}),TotalQTY:(?<quantity1>[0-9]{1,5})"
| eval Time = case(
(_time >= relative_time(now, "-15m@m"), "Last_15_minutes",
(_time >= relative_time(now, "-15m@m"), "Yesterday",
true(), "7_Days_Ago")
| stats sum(quantity) as TotalSale count BY Product Time
| eval avg = TotalSale / count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried the suggested query but here I am not getting result as required. I was looking for the query to make to make 4 column such as 'Product','sevenDayAvg','OneDayAvg' and last 15 minutes data.
Here the average per 15 minutes. for example, for one day period it should be (Totalsale for one day)/96 and for 7 day period avg should be (Totalsale in 7 day)/672.
With the query suggested by you I am getting 5 columns that is 'Product','Time','TotalSale','count' and 'Avg'.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
