Solved: map command to do stats stdev($field_name$) ...

melonman · ‎04-07-2014

Hi

I am looking for a search that iterates all my fieldname start with f* and get the statistics value of each f and get the large table.

sample data looks like this:

timestamp,f1,f2,f3,f4,f5,f6,f7,f8,f9
2014/04/01 00:00:00,0,2,3,1,2,5,6,9,3
2014/04/01 00:00:01,1,0,0,1,2,3,10,1,2
...

there are 100+ f* fields.

Now I have the following search, which does not run successfully.

index=sampledata
| head 1 
| table f* 
| transpose 
| table column 
| rename column as f_name 
| map maxsearches=1000 search="index=sampledata | stats stdev($f_name$) as stdev | eval f_name=$f_name$"

I get this error message

Unable to run query 'index=sampledata | stats stdev(f1) as stdev | eval f_name=f1'.

I am trying to get the result that looks like this:

f_name, stdev
-------------
f1, 2
f2, 4
f3, 3
f4, 5

Anyone know how to use map command to do this?
Or anyother way to perform?

linu1988 · ‎04-07-2014

Hello,
You have missed search in the map search query.

....| map maxsearches=1000 search="search index=sampledata | stats stdev($f_name$) as stdev | eval f_name=$f_name$"

Thanks

View solution in original post

martin_mueller · ‎04-07-2014

How about this?

index=sampledata | stats stdev(f*)

linu1988 · ‎04-07-2014

Hello,
You have missed search in the map search query.

....| map maxsearches=1000 search="search index=sampledata | stats stdev($f_name$) as stdev | eval f_name=$f_name$"

Thanks

melonman · ‎04-07-2014

Thank you linu1988 for pointing out!

I forgot "search"... also f_name's double quote with escape. Now my search looks like this.
(now more stats inside the map command..)

....| map maxsearches=1000 search="search index=sampledata | stats stdev($f_name$) as stdev median($f_name$) as median | eval f_name=\"$f_name$\""

map command to do stats stdev($field_name$) ...

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!