Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Performing operations on a list of values with a single value

jaysonpryde
Path Finder
‎07-22-2021 09:05 PM

HI,

As mentioned in the subject, I want to perform operations on a list of values with a single value. To be clearer, here's my search:

index="my_index"
| stats limit=15 values(my_transaction) as transactions by group_name
| eventstats median(transactions) as median_transaction by group_name
| eval dv=(abs(transactions-median_transactions))

However, "dv" is empty. I am assuming this is because "transactions" is an array/ a list while "median_transaction" is a a single value, for each group. If my assumption is correct, what's the best way in performing the operation for each value in "transactions" with "median_transaction" for each group? 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2021 11:15 PM 
| eval dv=mvmap(transactions,abs(transactions-median_transactions))

By the way, values() will give you an ordered list of unique values, whereas list() will keep duplicates which may or may not be a consideration for you.

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2021 11:15 PM 
| eval dv=mvmap(transactions,abs(transactions-median_transactions))

By the way, values() will give you an ordered list of unique values, whereas list() will keep duplicates which may or may not be a consideration for you.

Reply
Solved! Jump to solution

jaysonpryde
Path Finder
‎07-23-2021 12:17 AM

Thank you very much @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-22-2021 10:58 PM

Hi please try this:

index="my_index"
| eventstats median(transactions) as by group_name
| stats limit=15 values(my_transaction) as transactions values(median_transaction) AS median_transaction by group_name
| eval dv=(abs(transactions-median_transactions))

One question: do you want the 15 first values ordered by group name or transactions?

with your search you have the 15 first values ordered by group name, if you want the 15 first values by transactions, you have to use head:

index="my_index"
| eventstats median(transactions) as by group_name
| stats values(my_transaction) as transactions values(median_transaction) AS median_transaction by group_name
| sort transactios
| head 15
| eval dv=(abs(transactions-median_transactions))

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jaysonpryde
Path Finder
‎07-23-2021 12:17 AM

Thank you very much @gcusello 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-23-2021 03:19 AM

Hi @jaysonpryde,

you're always welcome!

Ciao and happy splunking.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top