Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you display AVG, MIN, and MAX as row headers by Service?

cmcdole
Path Finder
‎03-28-2019 08:59 AM

I have several services that I need to calculate Avg/min/max for. 

{basesearch} | stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max", values(JBossService) as JBoss_Service by JBossService

I need the display to look something like this.

         Service1|Service2|Service3|Service4
Avg  ____###__|__###__|__##____|__##____
Min  ____###__|__###__|__##____|__##____
Max  ____###__|__###__|__##____|__##____

Please help!! Thanks 🙂

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-28-2019 11:46 AM

@cmcdole try the following with transpose command with limit=0 to invert all rows as columns and columns as rows:

{basesearch} 
| stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max" by JBossService
| transpose 0 header_field=JBossService column_name=JBossService

Following is a run anywhere search based on Splunk's _internal index:

index=_internal sourcetype=splunkd log_level!=INFO
| stats avg(date_second) as Avg min(date_second) as Min max(date_second) as Max by component
| transpose 0 header_field=component column_name=component
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isachse
Explorer
‎03-28-2019 12:45 PM

Have a look to the untable command. That might be a good solution.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-28-2019 11:46 AM

@cmcdole try the following with transpose command with limit=0 to invert all rows as columns and columns as rows:

{basesearch} 
| stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max" by JBossService
| transpose 0 header_field=JBossService column_name=JBossService

Following is a run anywhere search based on Splunk's _internal index:

index=_internal sourcetype=splunkd log_level!=INFO
| stats avg(date_second) as Avg min(date_second) as Min max(date_second) as Max by component
| transpose 0 header_field=component column_name=component
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

cmcdole
Path Finder
‎03-29-2019 06:35 AM

This worked perfectly!! Thanks!

0 Karma
Reply
Solved! Jump to solution

solarboyz1
Builder
‎03-28-2019 09:46 AM

Try using the chart function:

You can specify which field is tracked on the x-axis of the chart. The x-axis variable is specified with a by field and is discretized if necessary. Charted fields are converted to numerical quantities if necessary.
(https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Chart)

... | chart avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max", values(JBossService) as JBoss_Service by JBossService
0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...