Creating a table with common columns for multiple fields

Question

I have performance data captured with Splunk with fields and data like this:

DatabaseCachePercentHit=0
DatabaseCacheSizeMB=22839
DatabasePageFaultStallsPersec=0
DatabasePageFaultsPersec=0
IODatabaseReadsAttachedAverageLatency=0
IODatabaseReadsRecoveryAverageLatency=0
ComputerName=MAIL1S1

I need to turn this into a table with the columns: Name,Latest,Max(last 24h),Average

How can I use stats to create the same columns for these different fields? And group them each into a row?

Accepted Answer

Here's one approach.

For simplicity, this assumes that your max is calculated over the same time period as your reporting range. It pulls everything into field values rather than field names, since stats and most other transformative commands want to operate against values:

sourcetype=whatever
| rex field=_raw max_match=10 "(?<kvpair>\w+=\d+)"
| mvexpand kvpair
| rex field=kvpair "(?<key>\w+)=(?<value>\d+)"
| stats first(value) as "Latest" max(value) as "Max" avg(value) as "Average" by host,key
| sort host,key

If your intent was to have the 'Max' value for only the last 24 hours, regardless of the overall search time window, you can mask out the older values:

...
| eval todayvalue=if(now()-86400<_time, todayvalue, null)
| stats first(value) as "Latest" max(todayvalue) as "24h Max" avg(value) as "Average" by host,key

Creating a table with common columns for multiple fields

Follow this question

Splunk Resources

Related questions