Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

enumerating field names as a new field

akazarov
Path Finder
‎06-05-2015 07:37 AM

Dear all,

I have in splunk events of this simple structure fileldX=value, like

field1=..., field2=..., ... fieldN=...

Now I need to plot a stats of my data, something like
| chart avg(?), max(?) over field1, field2,.. fieldN

How should I express the '?'?
Do I need to create a syntetic field with values of my real filed names?

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

akazarov
Path Finder
‎06-08-2015 06:41 AM

Did it with append:

search ... | chart avg(field1) as f1, avg(field2) as f2 ... | append [ search ... | chart max(field1) as f1, max(field2) as f2... ] | transpose | rename ...

View solution in original post

Reply
Solved! Jump to solution
Solution

akazarov
Path Finder
‎06-08-2015 06:41 AM

Did it with append:

search ... | chart avg(field1) as f1, avg(field2) as f2 ... | append [ search ... | chart max(field1) as f1, max(field2) as f2... ] | transpose | rename ...

Reply
Solved! Jump to solution

fdi01
Motivator
‎06-09-2015 12:59 AM

good Mr akazarov
i don't think like that.

0 Karma
Reply
Solved! Jump to solution

ngatchasandra
Builder
‎06-05-2015 09:59 AM

Hi,

Try to enumerate with this: |eval new=mvappend(field1,mvappend(field2,mvappend(field3,field4)))... | makemv delim="," new

0 Karma
Reply
Solved! Jump to solution

fdi01
Motivator
‎06-05-2015 07:52 AM

try like this:

...| chart avg(field*), max(field*) over field1, field2,.. fieldN

or

...| chart avg(*), max(*) over field1, field2,.. fieldN
0 Karma
Reply
Solved! Jump to solution

akazarov
Path Finder
‎06-08-2015 06:28 AM

over field1, field2
is not valid syntax, it says
Error in 'chart' command: Invalid argument: 'field2'

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...