Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Performing operations on a list of values with a single value

jaysonpryde
Path Finder
‎07-22-2021 09:05 PM

HI,

As mentioned in the subject, I want to perform operations on a list of values with a single value. To be clearer, here's my search:

index="my_index"
| stats limit=15 values(my_transaction) as transactions by group_name
| eventstats median(transactions) as median_transaction by group_name
| eval dv=(abs(transactions-median_transactions))

However, "dv" is empty. I am assuming this is because "transactions" is an array/ a list while "median_transaction" is a a single value, for each group. If my assumption is correct, what's the best way in performing the operation for each value in "transactions" with "median_transaction" for each group? 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2021 11:15 PM 
| eval dv=mvmap(transactions,abs(transactions-median_transactions))

By the way, values() will give you an ordered list of unique values, whereas list() will keep duplicates which may or may not be a consideration for you.

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2021 11:15 PM 
| eval dv=mvmap(transactions,abs(transactions-median_transactions))

By the way, values() will give you an ordered list of unique values, whereas list() will keep duplicates which may or may not be a consideration for you.

Reply
Solved! Jump to solution

jaysonpryde
Path Finder
‎07-23-2021 12:17 AM

Thank you very much @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-22-2021 10:58 PM

Hi please try this:

index="my_index"
| eventstats median(transactions) as by group_name
| stats limit=15 values(my_transaction) as transactions values(median_transaction) AS median_transaction by group_name
| eval dv=(abs(transactions-median_transactions))

One question: do you want the 15 first values ordered by group name or transactions?

with your search you have the 15 first values ordered by group name, if you want the 15 first values by transactions, you have to use head:

index="my_index"
| eventstats median(transactions) as by group_name
| stats values(my_transaction) as transactions values(median_transaction) AS median_transaction by group_name
| sort transactios
| head 15
| eval dv=(abs(transactions-median_transactions))

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jaysonpryde
Path Finder
‎07-23-2021 12:17 AM

Thank you very much @gcusello 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-23-2021 03:19 AM

Hi @jaysonpryde,

you're always welcome!

Ciao and happy splunking.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...