Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

easier/better way to get a general field summary table

sideview
SplunkTrust
SplunkTrust
‎04-13-2012 04:49 PM

I have an interesting situation where I want to be able to display a little summary table, showing a few statistics about a small number of fields, as calculated from a restricted set of events.

Basically I want it to look like the below:

field avg min max
avg_age 0.000000 0.000000 0.000000
eps 0.935385 0.064514 2.836625
ev 34.869565 2 86
kb 6.600976 0.244141 16.830078



The closest I've gotten is this search:

foo | fields avg_age eps ev kb | fields - _* | stats values(*) as * | transpose | rename column as field "row 1" as value | eval value=split(value, " ") | stats avg(value) as avg min(value) as min max(value) as max by field

which looks like it works. However I think the use of multivalue fields here is going to lead to truncation and thus the statistics aren't going to be trustworthy.

Can anyone help? I have this feeling that there's something simple I'm missing? Like if there was a 'summary' command:

summary stats="min,max,avg" fields="avg_age eps ev kb"

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎04-14-2012 09:25 AM

Not that much easier, but here you go:

... | fields field1 field1 | stats min max avg | transpose | rex field=column "(?<stat>[^\(]+)\((?<field>[^\)]+)" | rename "row 1" as value | xyseries field stat value

Also, it's fairly easy to create a macro:

[summary_stats(2)]
args = fields,stats
definition = fields $fields$ | stats $stats$ | transpose | rex field=column "(?<stat>[^\(]+)\((?<field>[^\)]+)" | rename "row 1" as value | xyseries field stat value
iseval = 0

which makes the search easier to read:

 ... | `summary_stats(field1 field2 field3, min max avg)`

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎04-14-2012 09:25 AM

Not that much easier, but here you go:

... | fields field1 field1 | stats min max avg | transpose | rex field=column "(?<stat>[^\(]+)\((?<field>[^\)]+)" | rename "row 1" as value | xyseries field stat value

Also, it's fairly easy to create a macro:

[summary_stats(2)]
args = fields,stats
definition = fields $fields$ | stats $stats$ | transpose | rex field=column "(?<stat>[^\(]+)\((?<field>[^\)]+)" | rename "row 1" as value | xyseries field stat value
iseval = 0

which makes the search easier to read:

 ... | `summary_stats(field1 field2 field3, min max avg)`
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-14-2012 11:06 AM

Awesome answer. Since it doesn't use values() it wont get truncated. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...