Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you display AVG, MIN, and MAX as row headers by Service?

cmcdole
Path Finder
‎03-28-2019 08:59 AM

I have several services that I need to calculate Avg/min/max for. 

{basesearch} | stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max", values(JBossService) as JBoss_Service by JBossService

I need the display to look something like this.

         Service1|Service2|Service3|Service4
Avg  ____###__|__###__|__##____|__##____
Min  ____###__|__###__|__##____|__##____
Max  ____###__|__###__|__##____|__##____

Please help!! Thanks 🙂

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-28-2019 11:46 AM

@cmcdole try the following with transpose command with limit=0 to invert all rows as columns and columns as rows:

{basesearch} 
| stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max" by JBossService
| transpose 0 header_field=JBossService column_name=JBossService

Following is a run anywhere search based on Splunk's _internal index:

index=_internal sourcetype=splunkd log_level!=INFO
| stats avg(date_second) as Avg min(date_second) as Min max(date_second) as Max by component
| transpose 0 header_field=component column_name=component
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isachse
Explorer
‎03-28-2019 12:45 PM

Have a look to the untable command. That might be a good solution.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-28-2019 11:46 AM

@cmcdole try the following with transpose command with limit=0 to invert all rows as columns and columns as rows:

{basesearch} 
| stats avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max" by JBossService
| transpose 0 header_field=JBossService column_name=JBossService

Following is a run anywhere search based on Splunk's _internal index:

index=_internal sourcetype=splunkd log_level!=INFO
| stats avg(date_second) as Avg min(date_second) as Min max(date_second) as Max by component
| transpose 0 header_field=component column_name=component
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

cmcdole
Path Finder
‎03-29-2019 06:35 AM

This worked perfectly!! Thanks!

0 Karma
Reply
Solved! Jump to solution

solarboyz1
Builder
‎03-28-2019 09:46 AM

Try using the chart function:

You can specify which field is tracked on the x-axis of the chart. The x-axis variable is specified with a by field and is discretized if necessary. Charted fields are converted to numerical quantities if necessary.
(https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Chart)

... | chart avg(transTime) as "Avg", min(transTime) as "Min", max(transTime) as "Max", values(JBossService) as JBoss_Service by JBossService
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...