skv
Reputation: 110
Splunk: Stats from multiple events and expecting one combined output
I have below events
event_a has time_a and MAS_A fields
event_b has time_b and MAS_B fields
event_c has time_c and MAS_C fields
sourcetype="app" eventtype in (event_a,event_b,event_c)
| stats avg(time_a) as "Avg Response Time" BY MAS_A
| eval Avg Response Time=round('Avg Response Time',2)
Output I am getting from above search is two fields MAS_A and Avg Response Time
I am trying to get this for event_b and event_c as well in same search SPL and expecting final output with two fields only
MAS_A_B_C and Avg Response Time
Upvotes: 0
Views: 1210
Answers (1)
Simon Duff
Reputation: 2651
Is this what you are after? Some sample events may help with your query.
sourcetype="app" eventtype in (event_a,event_b,event_c)
| eval time_value=coalesce(time_a, time_b, time_c)
| eval MAS_value =coalesce(MAS_A,MAS_B,MAS_C)
| stats avg(time_value) as "Avg Response Time" BY MAS_value
| eval Avg Response Time=round('Avg Response Time',2)
Upvotes: 2
Related Questions
- Splunk how to display multiple stats queries in table?
- Splunk : extract multiple values from each event
- Group events by multiple fields in Splunk
- How to merge two stats by in Splunk?
- Splunk - Get Prefefined Outputs Based on the event count and event data
- show results from two splunk queries into one
- How to combine two queries in Splunk?
- Splunk combining multiple logs
- Get Aggregate Results instead of Events from Splunk REST API
- Splunk - Merging Associated Events