- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Inspite of using Appendpipe , the new row is not g...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inspite of using Appendpipe , the new row is not getting displayed
index="xyz"
| stats avg("Service Provided") AS "Average of Service Provided " BY "Survey Month"
| eval "Average of Service Provided "=round('Average of Service Provided',2)
| appendpipe [stats avg("Service Provided ") AS "Average of Service Provided"| eval Survey Month="Avg"]
The above is a query that I am trying so that I get a new row named "Avg" displayed with the average calculated in the corresponding stats command. Why is the new row not getting displayed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@monyathomas your appendpipe is not leading to expected results because the field "Service Provided" is not available after the stats command where you have renamed the same to "Average of Service Provided". So you should try the following instead:
index="xyz"
| stats avg("Service Provided") AS "Average of Service Provided" BY "Survey Month"
| eval "Average of Service Provided"=round('Average of Service Provided',2)
| appendpipe
[ stats avg("Average of Service Provided") AS "Average of Service Provided"
| eval "Survey Month"="Avg"]
Following is a run anywhere search with Splunk's _internal index with cooked up fields/data as per your question.
index="_internal" sourcetype=splunkd
| rename date_hour as "Survey Month", date_second as "Service Provided"
| stats avg("Service Provided") AS "Average of Service Provided" BY "Survey Month"
| eval "Average of Service Provided"=round('Average of Service Provided',2)
| appendpipe
[ stats avg("Average of Service Provided") AS "Average of Service Provided"
| eval "Survey Month"="Avg"]
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you missed the BY clause in stats, and your assignment to AVG field isn't accurate
try:
| appendpipe [| stats avg("Service Provided ") AS "Average of Service Provided" BY "Survey Month" | eval Avg = 'Average of Service Provided' | fields - "Average of Service Provided"]
fields - "Average of Service Provided": ensure that your values of subsearch aren't appended to the same column as your main search. Since you want a separate column for AVG.
OR, you can do the below, to rename in stats altogether
| appendpipe [| stats avg("Service Provided ") AS "Avg" BY "Survey Month"]
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
