Solved: How can I group field names to compare values with...

deepashri_123 · ‎11-27-2017

Hi,

I have around 200 KPIs, each having field names in the form of *_KPI and with numbers and each *_KPI has different values.
for eg, 100_KPI has values 0, 1,56,100 and so on. Is it possible to group all field names in 1 field name as KPI? I need to compare the latest value of each KPI with the 7 day avg date_hour count and group it by KPI and display only KPI that have large deviation in single panel.

woodcock · ‎11-28-2017

This is generally done with coalesce like this:

| eval KPI=coalesce(100_KPI, 99_KPI, ..., 1_KPI, "DefaultValueHere")

You can do similar with foreach like this:

| foreach *_KPI [ eval KPI=coalesce(KPI, <<FIELD>>) ]

View solution in original post

woodcock · ‎11-28-2017

This is generally done with coalesce like this:

| eval KPI=coalesce(100_KPI, 99_KPI, ..., 1_KPI, "DefaultValueHere")

You can do similar with foreach like this:

| foreach *_KPI [ eval KPI=coalesce(KPI, <<FIELD>>) ]

kamlesh_vaghela · ‎11-27-2017

Hi
You can use foreach command to group 1 field. Can you please share your sample search?

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Foreach

Thanks

How can I group field names to compare values within a specified time range?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor