Hi,
First thanks for the splunk query, it's way simpler to help you like that.
Can you try eventstats like that
| makeresults 1 | eval group="placeOrder" | eval service="placeOrder_v1" | eval groupVolume="375" | eval volume="175"
| append
[| makeresults 1 | eval group="placeOrder" | eval service="placeOrder_v3" | eval groupVolume="375" | eval volume="200"]
| append
[| makeresults 1 | eval group="placeOrder" | eval service="placeOrder_v1" | eval pastGroupVolume="325" | eval pastVolume="200"]
| append
[| makeresults 1 | eval group="placeOrder" | eval service="placeOrder_v2" | eval pastGroupVolume="325" | eval pastVolume="100"]
| append
[| makeresults 1 | eval group="placeOrder" | eval service="placeOrder_v3" | eval pastGroupVolume="325" | eval pastVolume="25"]
| fields _time, group, service, groupVolume, volume, pastVolume, pastGroupVolume
| stats values(groupVolume) as groupVolume, values(volume) as volume, values(pastGroupVolume) as pastGroupVolume, values(pastVolume) as pastVolume by group, service
| eventstats values(groupVolume) as groupVolume by group
It will give you the values by group fore the groupVolume and it seems to solve your problem, or maybe I didn't get what was the problem ^^'
... View more