How do you combine two different values from a sin...

dojiepreji · ‎01-14-2019

Suppose I have a chart that counts the number of tickets done by a particular branch and displays them by priority.

Branch     Priority 1     Priority 2     Priority 3
branch1          2             3            5
branch2          1             2            2
branch3          3             4            3

What I want to do is combine branches 1 and 2 like so,

Branch           Priority 1     Priority 2     Priority 2
branch1/branch2        3            5               7
branch 3               3            4               3

I've tried replace, but it only renames the value of a single branch, and does not combine them.

I've also considered the coalesce command, but I could only use it when combining values coming from two different fields, not values coming from a single field.

Can anybody please point me in the right direction?

woodcock · ‎02-13-2019

You can add this to the bottom of your existing search:

| eval Branch = if(Branch=="branch1" OR Branch=="branch2", "branch1/branch2", Branch)
| stats sum(*) AS * BY Branch

But you might get better performance if you move the eval line to be the first pipe after your base search string so that you do not need the stats line at all.

mayurr98 · ‎01-14-2019

Hi @dojiepreji

you can try something like this:

<query for the chart>
| replace branch2 with branch1 in Branch 
| stats  sum(Priority*) as Priority* by Branch 
|  replace branch1 WITH branch1/branch2 in Branch

let me know if this helps!

How do you combine two different values from a single field in a chart?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms