hi all, this is my search, sorry newbie here:
source=*DT* index=index001
| dedup _raw
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| eval amount= tostring(Ads, "commas")
| eval results = previous_month + ": " + amount + " (previous month)"
| table results
Results are:
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
Jan: 28,783,685 (previous month)
... with hundreds of pages
Results show correct final number but it displays in multiple rows. I just need to show one single result.
Thank you
Try using stats instead of eventstats.
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eventstats
"The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event."
Try using stats instead of eventstats.
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eventstats
"The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event."
well that is what I need help with 🙂 I tried using stats already and was not able to display a single string just like the one in my sample with eventstats. I am very new to this SPL thing.
how do I format "Ads" with commas plus the addition of string "previous month"?
| stats sum("duration") as Ads
Try this:
| stats sum(duration) as Ads
| eval amount=tostring(Ads, "commas")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eval results = previous_month + ": " + amount + " (previous month)"
| table results
thanks mans. I was putting this line before the stats command:
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
and that was giving me an error. Not sure why it would matter - thanks again
When you use stats, you're returning statistics over the fields that you explicitly specify with the stats command. All other fields before stats are lost in the transaction if they aren't specified in your stats statement.
Because you evaluated a new field "previous_month" prior to the stats command, but didn't actually use it in stats, Splunk considers that field as gone. When you attempt to later call that field out (eval results = previous_month...), Splunk has no recollection of that field anymore because it was generated prior to stats and itself was not sent through stats, so it didn't appear on the other side.
I admit it's kind of tricky, but you'll get the hang of it 🙂
aww I see it. Thanks for the explanation!!! Cheers!