I have performance data captured with Splunk with fields and data like this:
DatabaseCachePercentHit=0
DatabaseCacheSizeMB=22839
DatabasePageFaultStallsPersec=0
DatabasePageFaultsPersec=0
IODatabaseReadsAttachedAverageLatency=0
IODatabaseReadsRecoveryAverageLatency=0
ComputerName=MAIL1S1
I need to turn this into a table with the columns: Name,Latest,Max(last 24h),Average
How can I use stats to create the same columns for these different fields? And group them each into a row?
Here's one approach.
For simplicity, this assumes that your max is calculated over the same time period as your reporting range. It pulls everything into field values rather than field names, since stats
and most other transformative commands want to operate against values:
sourcetype=whatever
| rex field=_raw max_match=10 "(?<kvpair>\w+=\d+)"
| mvexpand kvpair
| rex field=kvpair "(?<key>\w+)=(?<value>\d+)"
| stats first(value) as "Latest" max(value) as "Max" avg(value) as "Average" by host,key
| sort host,key
If your intent was to have the 'Max' value for only the last 24 hours, regardless of the overall search time window, you can mask out the older values:
...
| eval todayvalue=if(now()-86400<_time, todayvalue, null)
| stats first(value) as "Latest" max(todayvalue) as "24h Max" avg(value) as "Average" by host,key
Here's one approach.
For simplicity, this assumes that your max is calculated over the same time period as your reporting range. It pulls everything into field values rather than field names, since stats
and most other transformative commands want to operate against values:
sourcetype=whatever
| rex field=_raw max_match=10 "(?<kvpair>\w+=\d+)"
| mvexpand kvpair
| rex field=kvpair "(?<key>\w+)=(?<value>\d+)"
| stats first(value) as "Latest" max(value) as "Max" avg(value) as "Average" by host,key
| sort host,key
If your intent was to have the 'Max' value for only the last 24 hours, regardless of the overall search time window, you can mask out the older values:
...
| eval todayvalue=if(now()-86400<_time, todayvalue, null)
| stats first(value) as "Latest" max(todayvalue) as "24h Max" avg(value) as "Average" by host,key
This works perfectly, exactly what I wanted. Thank you.