Splunk Search

How to display a single value in my search results?

maximusdm
Communicator

hi all, this is my search, sorry newbie here:

source=*DT* index=index001
| dedup _raw  
| convert rmcomma("duration")           
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")         
| eventstats sum("duration") as Ads   
| eval amount= tostring(Ads, "commas")  
| eval results = previous_month + ": " + amount + " (previous month)" 
| table results

Results are:
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
... with hundreds of pages

Results show correct final number but it displays in multiple rows. I just need to show one single result.

Thank you

Tags (3)
0 Karma
1 Solution

coltwanger
Contributor

Try using stats instead of eventstats.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eventstats

"The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event."

View solution in original post

0 Karma

coltwanger
Contributor

Try using stats instead of eventstats.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eventstats

"The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event."

0 Karma

maximusdm
Communicator

well that is what I need help with 🙂 I tried using stats already and was not able to display a single string just like the one in my sample with eventstats. I am very new to this SPL thing.
how do I format "Ads" with commas plus the addition of string "previous month"?
| stats sum("duration") as Ads

0 Karma

coltwanger
Contributor

Try this:

| stats sum(duration) as Ads
| eval amount=tostring(Ads, "commas")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eval results = previous_month + ": " + amount + " (previous month)"
| table results
0 Karma

maximusdm
Communicator

thanks mans. I was putting this line before the stats command:
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")

and that was giving me an error. Not sure why it would matter - thanks again

0 Karma

coltwanger
Contributor

When you use stats, you're returning statistics over the fields that you explicitly specify with the stats command. All other fields before stats are lost in the transaction if they aren't specified in your stats statement.

Because you evaluated a new field "previous_month" prior to the stats command, but didn't actually use it in stats, Splunk considers that field as gone. When you attempt to later call that field out (eval results = previous_month...), Splunk has no recollection of that field anymore because it was generated prior to stats and itself was not sent through stats, so it didn't appear on the other side.

I admit it's kind of tricky, but you'll get the hang of it 🙂

0 Karma

maximusdm
Communicator

aww I see it. Thanks for the explanation!!! Cheers!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...