Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

"Middle" parameter for stats command?

KyleMcDougall
Path Finder
‎09-12-2022 01:48 PM

Hi all! 

We use stats commands to pull in data from our APIs. But, our APIs get called multiple times in a single session. This works well if you want to use the first or last API call, using first(variable) or last(variable).

However, we want to pull in the middle API call. Is there a way to do this?

I realize there's no param for middle(variable), but I'm looking for possible alternatives. Any help would be much appreciated!

index=conversation sourcetype="cui-orchestration-log" botId=123456
| stats 
first(experiments__40000) as treatment
middle(case_number) as case_ID
by sessionId

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-12-2022 06:26 PM

How many events will contain the field case_number and will this case_number change in anyway during the sequence of API calls?

The simple solution is to collect all possible values of the case_number from the requests for the session id, i.e.

index=conversation sourcetype="cui-orchestration-log" botId=123456
| stats first(experiments__40000) as treatment
        values(case_number) as case_ID by sessionId

but I suspect you do not actually want to use first/middle/last anyway as those are intended to take values from the sequence of events, where those values may change and you want a specific variant of that field.

If the fields 'experiments_40000' and 'case_number' simply occur as different fields in the different events, then use vales(X) or list(X) to get the variants.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-12-2022 06:26 PM

How many events will contain the field case_number and will this case_number change in anyway during the sequence of API calls?

The simple solution is to collect all possible values of the case_number from the requests for the session id, i.e.

index=conversation sourcetype="cui-orchestration-log" botId=123456
| stats first(experiments__40000) as treatment
        values(case_number) as case_ID by sessionId

but I suspect you do not actually want to use first/middle/last anyway as those are intended to take values from the sequence of events, where those values may change and you want a specific variant of that field.

If the fields 'experiments_40000' and 'case_number' simply occur as different fields in the different events, then use vales(X) or list(X) to get the variants.

 

Reply
Solved! Jump to solution

KyleMcDougall
Path Finder
‎09-13-2022 09:09 AM

Thank you!! This is exactly what I was looking for. 

0 Karma
Reply
Solved! Jump to solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:59 PM

I've got problem understanding this middle thing because it will only work if there are 3 or 5 results.

Let's start the easier way. If you have 5 results, you can do a streamstats count as counting by sessionID. After this, you can do something like a sorting - counting sessionID  and write down the max counting by sessionID in each line. Then you calculate marker=(maxcounting+1)/2 and search where marker=counting. That means, if you have 5 results, for a sessionID it will look like this:

ID=1234, value=a, counting=1, maxcount=5, marker=3

ID=1234, value=b, counting=2, maxcount=5, marker=3

ID=1234, value=c, counting=3, maxcount=5, marker=3

ID=1234, value=d, counting=4, maxcount=5, marker=3

ID=1234, value=e, counting=5, maxcount=5, marker=3

But what will you do if there are 6 events, what's the middle?

0 Karma
Reply
Solved! Jump to solution

KyleMcDougall
Path Finder
‎09-12-2022 02:34 PM

Thanks for the reply! Interesting solution. Do you have an example using the query I posted above? I'm not sure I know how to put this into practice. Also, in my situation, there's only 3 events, so it should work. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...