I have a bit of a data that looks like
base search term
| eval varA = fieldA/3
| eval varB = fieldB/36
| eval varC = varA * varB
| stats sum(varC) by NAME.
Where NAME is the value of another field - i.e., we have a bunch of data [vars A, B, and C] from one source, NAME. This code displays data in the format that I want: a statistics page with the sums of varC by NAME.
However, I am trying to generate a table of the format
NAME | varA | varB | varC | Performance
Where Performance checks to see if varC is >= a given number.
What is the Splunky way to do this? I'm trying not to get into bad habits.
Try this
base search term
| eval varA = fieldA/3
| eval varB = fieldB/36
| eval varC = varA * varB
| table Name varA varB varC
| eval Performance=if(varC>=SomeNumberHere,"Message1Here","Message2Here")
Now if you could explain what values should varA varB and varC should contain if aggregation needs to be done, we can include a stats command instead of table command. E.g. like you want to do max of varA and varB and sum of varC, just replace | table Name varA varB varC
in above query with | stats max(varA) as varA max(varB) as varB sum(varC) as varC by Name
.
Try this
base search term
| eval varA = fieldA/3
| eval varB = fieldB/36
| eval varC = varA * varB
| table Name varA varB varC
| eval Performance=if(varC>=SomeNumberHere,"Message1Here","Message2Here")
Now if you could explain what values should varA varB and varC should contain if aggregation needs to be done, we can include a stats command instead of table command. E.g. like you want to do max of varA and varB and sum of varC, just replace | table Name varA varB varC
in above query with | stats max(varA) as varA max(varB) as varB sum(varC) as varC by Name
.
base search term
| eval varA = fieldA/3
| eval varB = fieldB/36
| eval varC = varA * varB
| eval Performance = if(varC >= X, Good, Bad)
| stats sum(varC) by NAME, Performance
Depending on what you want for the value of Performance you can just add in a quick eval with an IF or a Case to set the field then add the field to your stats.