Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Inspite of using Appendpipe , the new row is not getting displayed

monyathomas
New Member
‎06-27-2019 11:33 PM

index="xyz"
| stats avg("Service Provided") AS "Average of Service Provided " BY "Survey Month"
| eval "Average of Service Provided "=round('Average of Service Provided',2)
| appendpipe [stats avg("Service Provided ") AS "Average of Service Provided"| eval Survey Month="Avg"]

The above is a query that I am trying so that I get a new row named "Avg" displayed with the average calculated in the corresponding stats command. Why is the new row not getting displayed?

0 Karma
Reply

niketn
Legend
‎07-02-2019 10:52 AM

@monyathomas your appendpipe is not leading to expected results because the field "Service Provided" is not available after the stats command where you have renamed the same to "Average of Service Provided". So you should try the following instead:

index="xyz" 
| stats avg("Service Provided") AS "Average of Service Provided" BY "Survey Month" 
| eval "Average of Service Provided"=round('Average of Service Provided',2) 
| appendpipe 
    [ stats avg("Average of Service Provided") AS "Average of Service Provided" 
    | eval "Survey Month"="Avg"]

Following is a run anywhere search with Splunk's _internal index with cooked up fields/data as per your question.

index="_internal" sourcetype=splunkd 
| rename date_hour as "Survey Month", date_second as "Service Provided"
| stats avg("Service Provided") AS "Average of Service Provided" BY "Survey Month" 
| eval "Average of Service Provided"=round('Average of Service Provided',2)
| appendpipe 
    [ stats avg("Average of Service Provided") AS "Average of Service Provided" 
    | eval "Survey Month"="Avg"]

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

chinmoya
Communicator
‎06-28-2019 05:15 AM

I think you missed the BY clause in stats, and your assignment to AVG field isn't accurate
try:

| appendpipe [| stats avg("Service Provided ") AS "Average of Service Provided" BY "Survey Month" | eval Avg = 'Average of Service Provided' | fields - "Average of Service Provided"]

fields - "Average of Service Provided": ensure that your values of subsearch aren't appended to the same column as your main search. Since you want a separate column for AVG.

OR, you can do the below, to rename in stats altogether 

 | appendpipe [| stats avg("Service Provided ") AS "Avg" BY "Survey Month"]
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...