Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you display AVG, MIN, and MAX as row headers by Service?

cmcdole
Path Finder
‎03-28-2019 08:59 AM

I have several services that I need to calculate Avg/min/max for. 

{basesearch} | stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max", values(JBossService) as JBoss_Service by JBossService

I need the display to look something like this.

         Service1|Service2|Service3|Service4
Avg  ____###__|__###__|__##____|__##____
Min  ____###__|__###__|__##____|__##____
Max  ____###__|__###__|__##____|__##____

Please help!! Thanks 🙂

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-28-2019 11:46 AM

@cmcdole try the following with transpose command with limit=0 to invert all rows as columns and columns as rows:

{basesearch} 
| stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max" by JBossService
| transpose 0 header_field=JBossService column_name=JBossService

Following is a run anywhere search based on Splunk's _internal index:

index=_internal sourcetype=splunkd log_level!=INFO
| stats avg(date_second) as Avg min(date_second) as Min max(date_second) as Max by component
| transpose 0 header_field=component column_name=component
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isachse
Explorer
‎03-28-2019 12:45 PM

Have a look to the untable command. That might be a good solution.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-28-2019 11:46 AM

@cmcdole try the following with transpose command with limit=0 to invert all rows as columns and columns as rows:

{basesearch} 
| stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max" by JBossService
| transpose 0 header_field=JBossService column_name=JBossService

Following is a run anywhere search based on Splunk's _internal index:

index=_internal sourcetype=splunkd log_level!=INFO
| stats avg(date_second) as Avg min(date_second) as Min max(date_second) as Max by component
| transpose 0 header_field=component column_name=component
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

cmcdole
Path Finder
‎03-29-2019 06:35 AM

This worked perfectly!! Thanks!

0 Karma
Reply
Solved! Jump to solution

solarboyz1
Builder
‎03-28-2019 09:46 AM

Try using the chart function:

You can specify which field is tracked on the x-axis of the chart. The x-axis variable is specified with a by field and is discretized if necessary. Charted fields are converted to numerical quantities if necessary.
(https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Chart)

... | chart avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max", values(JBossService) as JBoss_Service by JBossService
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...