Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a second set of metrics, stats count by the field within the same table?

IRHM73
Motivator
‎04-19-2018 08:42 AM

Hi, I wonder whether someone may be able to help me please:

I'm using the following query to record customer ratings and comments:

`frontend_wmf(ExitSurvey)`
| fields detail.whatDoYouThink detail.comments
| table detail.whatDoYouThink detail.comments

This produces, as I would expect a table of ratings and customer comments on the same row for the given number of events for the day:

Which looks like:

alt text

What I'd like to do, almost as a second set of metrics, is to produce a stats count by the field detail.whatDoYouThink but within the same table.

Could someone tell me please is this possible?

Many thanks and kind regards

Chris

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

IRHM73
Motivator
‎04-19-2018 10:55 AM

Hi, although a little different in design, I've come up with the following which captures all the results:

`frontend_wmf(ExitSurvey)`
| fields detail.whatDoYouThink detail.comments
| stats list(detail.comments) as Comments sum(detail.whatDoYouThink) as "Rating_Total" by detail.whatDoYouThink
| rename detail.whatDoYouThink as Rating
| table Rating "Rating_Total" Comments

Many thanks to all for your help.

Kindest Regards

Chris

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

IRHM73
Motivator
‎04-19-2018 10:55 AM

Hi, although a little different in design, I've come up with the following which captures all the results:

`frontend_wmf(ExitSurvey)`
| fields detail.whatDoYouThink detail.comments
| stats list(detail.comments) as Comments sum(detail.whatDoYouThink) as "Rating_Total" by detail.whatDoYouThink
| rename detail.whatDoYouThink as Rating
| table Rating "Rating_Total" Comments

Many thanks to all for your help.

Kindest Regards

Chris

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎04-19-2018 09:55 AM

Hi, thank you for taking the time to reply with a solution.

I've made an amendment to my original post to show what I'd like the table to look like if possible.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-19-2018 09:10 AM

You can use eventstats command to add the count field without reducing the number of rows.

`frontend_wmf(ExitSurvey)`
 | table detail.whatDoYouThink detail.comments
 | eventstats count by  detail.whatDoYouThink
0 Karma
Reply
Solved! Jump to solution

damien_chillet
Builder
‎04-19-2018 08:52 AM

Could you show us how you want the final table to look like?

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎04-19-2018 09:53 AM

Hi, thank you for taking the time to reply.

I've amended my original post to show the table I'd like to try and get please.

Many thanks and kind regards

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...