1

I have a existing splunk table as:

JobAction Status TimeTaken(ms) Records Host
Delete SUCCESS 100 50 Host1
Delete SUCCESS 120 200 Host1
Insert SUCCESS 500 30 Host1
Insert SUCCESS 120 25 Host1

I want to get the totaltime and totalrecords based on jobaction like as follows:

JobAction Status Totaltime(ms) TotalRecords Host
Delete SUCCESS 220 250 Host1
Insert SUCCESS 620 55 Host1

I tried doing

|stats sum(Records) as TotalRecords by host,JobAction,Status

and was able to get total records but when i do the same for timetaken it's coming as empty.

Any suggestions on how to get total time and record both based on jobaction?

AD27060
  • 21
  • 5

1 Answers1

2

Are you saying you tried |stats sum("TimeTaken(ms)") as "Totaltime(ms)", sum(Records) as TotalRecords by host,JobAction,Status? Both calculations have to be done in the same stats command or you'll get empty results in the second stats call. That's because stats is a transforming command that removes any fields it doesn't use or create so any subsequent stats call won't have the same fields to work with.

RichG
  • 9,063
  • 2
  • 18
  • 29
  • Yes, i tried that. It was only giving me total records and time as empty. I get it stats is a transforming command. Is there a non transforming substitute for that? – AD27060 Oct 10 '22 at 14:32
  • It should have worked, but won't if my assumptions about your field names don't match your reality. Can you please share more of your query, specifically the part that creates the `TimeTaken(ms)` field? The non-transforming alternatives to `stats` are `eventstats` and `streamstats`. You probably want `eventstats`. – RichG Oct 10 '22 at 14:47