Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Make a stats by value a separate field

ebs
Communicator
‎05-26-2021 06:59 PM

I've performed a stats by command I was wondering if there was a way to store all these as fields and then for the by field which has returned 0 make it null.

For context I performed an eval field to create a new field on via case then performed a stats by command.

stats command: stats avg(response_time) by category

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2021 12:37 AM

Have you considered transpose?

| transpose 0 header_field=value

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-26-2021 10:47 PM

Hi @ebs,

I'm not sure to understood your questions:

you want to know how to pass all fields after a stats command and how to manage values where the BY fields are null, is it correct?

If this is your need:

it's better to have in the stats command only the fields you need so you use less memory, but if you want to have all the fields, you could use values(*) AS * , but I don't like.

Abouth the null BY fields, you can use the fillnull command (adding e.g. "-") before the stats command, in this way you're sure that all the events have a value for the BY fields.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ebs
Communicator
‎05-30-2021 06:43 PM

Hi @gcusello,

To explain further when I do my stats avg by command I have one column of field values and one column of correlating stats values. What I want to do is take the stats value and then assign it a field with the name of the corresponding field value e.g. if the avg of a = 3 and the avg of b = 5 I then want a field created called a, where the field value is 3 and another field called b where the value is 5. If there is then a value of c where there are no results, I want that created into a field and then do a fillnull command.

Also I specifically wanted the fillnull value for the created stats field

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2021 12:37 AM

Have you considered transpose?

| transpose 0 header_field=value
Reply
Solved! Jump to solution

ebs
Communicator
‎05-31-2021 04:21 PM

Thanks so much! I didn't even think of this command

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-30-2021 11:19 PM

Hi @ebs,

in the stats command you can assign the field name as you want, e.g. something like this:

| stats avg(a) AS a avg(b) AS b BY c

and anyway, you have the rename command to change a field name.

about the null values, you have to try to use the fillnull command.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...