Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you display AVG, MIN, and MAX as row headers by Service?

cmcdole
Path Finder
‎03-28-2019 08:59 AM

I have several services that I need to calculate Avg/min/max for. 

{basesearch} | stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max", values(JBossService) as JBoss_Service by JBossService

I need the display to look something like this.

         Service1|Service2|Service3|Service4
Avg  ____###__|__###__|__##____|__##____
Min  ____###__|__###__|__##____|__##____
Max  ____###__|__###__|__##____|__##____

Please help!! Thanks 🙂

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-28-2019 11:46 AM

@cmcdole try the following with transpose command with limit=0 to invert all rows as columns and columns as rows:

{basesearch} 
| stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max" by JBossService
| transpose 0 header_field=JBossService column_name=JBossService

Following is a run anywhere search based on Splunk's _internal index:

index=_internal sourcetype=splunkd log_level!=INFO
| stats avg(date_second) as Avg min(date_second) as Min max(date_second) as Max by component
| transpose 0 header_field=component column_name=component
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isachse
Explorer
‎03-28-2019 12:45 PM

Have a look to the untable command. That might be a good solution.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-28-2019 11:46 AM

@cmcdole try the following with transpose command with limit=0 to invert all rows as columns and columns as rows:

{basesearch} 
| stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max" by JBossService
| transpose 0 header_field=JBossService column_name=JBossService

Following is a run anywhere search based on Splunk's _internal index:

index=_internal sourcetype=splunkd log_level!=INFO
| stats avg(date_second) as Avg min(date_second) as Min max(date_second) as Max by component
| transpose 0 header_field=component column_name=component
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

cmcdole
Path Finder
‎03-29-2019 06:35 AM

This worked perfectly!! Thanks!

0 Karma
Reply
Solved! Jump to solution

solarboyz1
Builder
‎03-28-2019 09:46 AM

Try using the chart function:

You can specify which field is tracked on the x-axis of the chart. The x-axis variable is specified with a by field and is discretized if necessary. Charted fields are converted to numerical quantities if necessary.
(https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Chart)

... | chart avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max", values(JBossService) as JBoss_Service by JBossService
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...