- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to modify "chart" command results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Our index has the following data: method name (amf_name), execution time (call_dur), application_version (app_version). I am trying to build a statistics table of average values for every method for every app_version (top 10, sorted desc). I also want the columns to be in a specific order - method name, then specific version averages, then any other averages.
The current query that is working is
host=prod09 | chart avg(call_dur) by amf_name app_version | table amf_name, "01.20.00.00", * | sort 10 - "01.20.00.00"
The result looks like:
amf_name 01.20.00.00 01.30.00.00 01.40.00.00 ...
execute 10.25 11.4 10.74 ...
...
What I want to see in this table is method name, average for a specified app version, and then for every app version - a delta between this average value and average for that version. So the result looks like
amf_name 01.20.00.00 01.30.00.00 01.40.00.00 ...
execute 10.25 1.15 0.49 ...
...
I have tried using foreach, but it does not go through "01...." columns. It seems to be aware only about amf_name results column. Which seems strange, as when I address any column by the exact name like "01.20.00.00" I am able to change the data using eval. The question here is how to address a column without knowing its name and build statistics for all available application versions.
Thank you in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you use foreach on columns with numeric names, you have to put <<FIELD>> in single quotes. Like this '<<FIELD>>'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you use foreach on columns with numeric names, you have to put <<FIELD>> in single quotes. Like this '<<FIELD>>'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, yes, you are right. I have probably messed up quotes on either side of the equation. The query that shows exactly what I'm looking for is
host=prod09 | chart eval(round(avg(call_dur),2)) by amf_name app_version | sort 10 - "01.20.00.00" | foreach 0* [eval <<FIELD>> = if(('<<FIELD>>'!='01.20.00.00'),'<<FIELD>>' - '01.20.00.00','01.20.00.00')] | table amf_name, "01.20.00.00", *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this answered your question, please accept the answer so its marked answered. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To be completely honest it did not really answer the question, but definitely pointed me to the right direction. Thank you!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
