Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Performing operations on a list of values with a single value

jaysonpryde
Path Finder
‎07-22-2021 09:05 PM

HI,

As mentioned in the subject, I want to perform operations on a list of values with a single value. To be clearer, here's my search:

index="my_index"
| stats limit=15 values(my_transaction) as transactions by group_name
| eventstats median(transactions) as median_transaction by group_name
| eval dv=(abs(transactions-median_transactions))

However, "dv" is empty. I am assuming this is because "transactions" is an array/ a list while "median_transaction" is a a single value, for each group. If my assumption is correct, what's the best way in performing the operation for each value in "transactions" with "median_transaction" for each group? 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2021 11:15 PM 
| eval dv=mvmap(transactions,abs(transactions-median_transactions))

By the way, values() will give you an ordered list of unique values, whereas list() will keep duplicates which may or may not be a consideration for you.

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2021 11:15 PM 
| eval dv=mvmap(transactions,abs(transactions-median_transactions))

By the way, values() will give you an ordered list of unique values, whereas list() will keep duplicates which may or may not be a consideration for you.

Reply
Solved! Jump to solution

jaysonpryde
Path Finder
‎07-23-2021 12:17 AM

Thank you very much @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-22-2021 10:58 PM

Hi please try this:

index="my_index"
| eventstats median(transactions) as by group_name
| stats limit=15 values(my_transaction) as transactions values(median_transaction) AS median_transaction by group_name
| eval dv=(abs(transactions-median_transactions))

One question: do you want the 15 first values ordered by group name or transactions?

with your search you have the 15 first values ordered by group name, if you want the 15 first values by transactions, you have to use head:

index="my_index"
| eventstats median(transactions) as by group_name
| stats values(my_transaction) as transactions values(median_transaction) AS median_transaction by group_name
| sort transactios
| head 15
| eval dv=(abs(transactions-median_transactions))

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jaysonpryde
Path Finder
‎07-23-2021 12:17 AM

Thank you very much @gcusello 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-23-2021 03:19 AM

Hi @jaysonpryde,

you're always welcome!

Ciao and happy splunking.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
li.common.scroll-to.top