Splunk Search

Inspite of using Appendpipe , the new row is not getting displayed

New Member

index="xyz"
| stats avg("Service Provided") AS "Average of Service Provided " BY "Survey Month"
| eval "Average of Service Provided "=round('Average of Service Provided',2)
| appendpipe [stats avg("Service Provided ") AS "Average of Service Provided"| eval Survey Month="Avg"]

The above is a query that I am trying so that I get a new row named "Avg" displayed with the average calculated in the corresponding stats command. Why is the new row not getting displayed?

0 Karma

SplunkTrust
SplunkTrust

@monyathomas your appendpipe is not leading to expected results because the field "Service Provided" is not available after the stats command where you have renamed the same to "Average of Service Provided". So you should try the following instead:

index="xyz" 
| stats avg("Service Provided") AS "Average of Service Provided" BY "Survey Month" 
| eval "Average of Service Provided"=round('Average of Service Provided',2) 
| appendpipe 
    [ stats avg("Average of Service Provided") AS "Average of Service Provided" 
    | eval "Survey Month"="Avg"]

Following is a run anywhere search with Splunk's _internal index with cooked up fields/data as per your question.

index="_internal" sourcetype=splunkd 
| rename date_hour as "Survey Month", date_second as "Service Provided"
| stats avg("Service Provided") AS "Average of Service Provided" BY "Survey Month" 
| eval "Average of Service Provided"=round('Average of Service Provided',2)
| appendpipe 
    [ stats avg("Average of Service Provided") AS "Average of Service Provided" 
    | eval "Survey Month"="Avg"]

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

I think you missed the BY clause in stats, and your assignment to AVG field isn't accurate
try:

| appendpipe [| stats avg("Service Provided ") AS "Average of Service Provided" BY "Survey Month" | eval Avg = 'Average of Service Provided' | fields - "Average of Service Provided"]

fields - "Average of Service Provided": ensure that your values of subsearch aren't appended to the same column as your main search. Since you want a separate column for AVG.

OR, you can do the below, to rename in stats altogether

 | appendpipe [| stats avg("Service Provided ") AS "Avg" BY "Survey Month"]
0 Karma