Compare search fields to add another field if they...

danielsavage · ‎07-04-2017

So at the moment I have a simple search

index=index sourcetype="sourcetype"  host1 OR host2 | table hour day month AvgCpuPerc

And this returns results like
18:00 12th Friday June 22%
18:00 12th Friday June 48%
17:00 12th Friday June 19%
17:00 12th Friday June 41%

What I would like to do, is have the results like this, but instead of having duplicate dates, have only one result for each date with the AvgCpuPerc column added, to give a result like this

18:00 12th Friday June 70%
17:00 12th Friday June 60%

How do I do this?

adonio · ‎07-04-2017

hello there,
looks like in your example you summed the percentages when saying you want average,
regardless, use stats command.

index=index sourcetype="sourcetype"  host1 OR host2 |stats avg(AvgCpuPerc) as hour_avg sum(AvgCpuPerc) as hour_sum by hour day month AvgCpuPerc

hope it helps

richgalloway · ‎07-04-2017

Try this.

index=index sourcetype="sourcetype"  host1 OR host2 | stats sum(AvgCpuPerc) as AvgCpuPerc by hour day month | table hour date month AvgCpuPerc

If the '%' character is part of the data then it will have to be removed for the stats command to work. Like this.

 index=index sourcetype="sourcetype"  host1 OR host2  | eval AvgCpuPerc=trim(AvgCpuPerc,"%") |  stats sum(AvgCpuPerc) as AvgCpuPerc by hour day month | eval AvgCpuPerc=AvgCpuPerc."%" | table hour date month AvgCpuPerc

---
If this reply helps you, Karma would be appreciated.

Compare search fields to add another field if they match

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor