Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to join multiple sourcetypes with additional data from a CSV using a common field (userId), then calculate the average for 2 possible fields by userId?

ivanlesk
Engager
‎02-01-2016 07:05 AM

Hi,

We have 3 sourcetypes with similar data (column names are different e.g. RATE_DOWN in two of them and ACTUAL_DATA_RATE in one of them)

Events are collected at the same time, but from different devices (one sourcetype per device type). And every event contains a user ID.

We have an additional CSV file with list of user IDs and some additional data (rate limits etc.).

I want to calculate avg RATE_DOWN or ACTUAL_DATA_RATE_DOWN fields per user from the CSV with additional data. I tried this:

index=index (sourcetype=sourcetype1 OR sourcetype=sourcetype2 OR sourcetype=sourcetype3)
| join type=inner userId [ |inputcsv additional_data]
| stats avg(RATE_DOWN) avg(ACTUAL_DATA_RATE_DOWN) by userId

I've expected to get a list of all users from the CSV file and their stats, avg(RATE_DOWN) if that field for that user exists, or else avg(ACTUAL_DATA_RATE_DOWN) and the first field should be empty. But instead, I got only stats for users that have rate in ACTUAL_DATA_RATE_DOWN field ( avg(ACTUAL_DATA_RATE_DOWN)).

avg(RATE_DOWN) is always empty, and if I remove sourcetypes leaving just one with RATE_DOWN field, stats are calculated.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-01-2016 07:51 AM

Try this.

 index=index (sourcetype=sourcetype1 OR sourcetype=sourcetype2 OR sourcetype=sourcetype3)
| join type=inner userId [ |inputcsv additional_data]
| eval rate_down = coalesce(RATE_DOWN, ACTUAL_DATA_RATE_DOWN)
| stats avg(rate_down) by userId
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ivanlesk
Engager
‎02-01-2016 07:59 AM

thx, but no help.

again only stats from sourcetype3 are shown (IDs for other users are shown but no stats). If I remove sourcetype3 from first line than results for those users are shown.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...