Comments and answers for "Single-Field Multi-Value Count Difference by Multiple other Fields"
https://answers.splunk.com/answers/134143/single-field-multi-value-count-difference-by-multiple-other-fields.html
The latest comments and answers for the question "Single-Field Multi-Value Count Difference by Multiple other Fields"Comment by martin_mueller on martin_mueller's answer
https://answers.splunk.com/comments/134414/view.html
That'll run. Let `func` be `avg` for example, then this will add a field `c` to every event that is the value of `a` plus the average of `a` calculated for each combination of `x`, `y`, and `z`.Mon, 05 May 2014 20:08:49 GMTmartin_muellerComment by landen99 on landen99's answer
https://answers.splunk.com/comments/134411/view.html
You are very sharp. Let's consider eventstats, which keeps "a" then.
eventstats func(a) AS b by x y z | eval c=a+bMon, 05 May 2014 20:05:27 GMTlanden99Comment by martin_mueller on martin_mueller's answer
https://answers.splunk.com/comments/134407/view.html
That's going to be trouble as well, there is no field called `a` after the `stats`.Mon, 05 May 2014 19:50:55 GMTmartin_muellerComment by landen99 on landen99's answer
https://answers.splunk.com/comments/134406/view.html
You are correct. The "sum" function requires the stat function. I was thinking about something more like this:
stats func(a) AS b by x y z | eval c=a+bMon, 05 May 2014 19:49:38 GMTlanden99Comment by martin_mueller on martin_mueller's answer
https://answers.splunk.com/comments/134333/view.html
That `eval` isn't going to run.
As for that `stats`, it will create a table with four columns: `x y z b`
You'll get one row for every combination of x, y, and z, and b will be `func(a)` for events matching that combination.Mon, 05 May 2014 14:48:04 GMTmartin_muellerComment by landen99 on landen99's answer
https://answers.splunk.com/comments/134317/view.html
So
stats func(a) AS b by x y z | eval s=sum(b)
in effect creates the variable b.x.y.z so that eval "s=sum(b)"is really in effect "s=sum(b.x.y.z)" which sums for each unique combination of x, y, and z so that "table s x y z" can show a different value of "s" for each x, y, and z combination. Is this correct?Mon, 05 May 2014 13:09:14 GMTlanden99Comment by martin_mueller on martin_mueller's answer
https://answers.splunk.com/comments/134156/view.html
Yup, per row / per `domain_root` and `_time`.Fri, 02 May 2014 21:53:49 GMTmartin_muellerComment by landen99 on landen99's answer
https://answers.splunk.com/comments/134148/view.html
If I did the second stats approach, how would the eval look?
| stats count AS c0 count(eval(dns_type="Q")) AS cq count(eval(dns_type="R")) AS cr by domain_root _time | eval d=cq-cr
If so, then would this "d" be per domain and time bucket?Fri, 02 May 2014 21:09:32 GMTlanden99Answer by martin_mueller
https://answers.splunk.com/answering/134147/view.html
The second `stats` seems reasonable to me. The issue with the first one is that `eval` works on a per-event / per-row basis, so you'd have to merge each pair first before doing the calculation - the second `stats` already does that for you.Fri, 02 May 2014 20:50:59 GMTmartin_mueller