0

I have below events

event_a has time_a and MAS_A fields

event_b has time_b and MAS_B fields

event_c has time_c and MAS_C fields 

sourcetype="app" eventtype in (event_a,event_b,event_c) 
| stats avg(time_a) as "Avg Response Time" BY MAS_A 
| eval Avg Response Time=round('Avg Response Time',2)

Output I am getting from above search is two fields MAS_A and Avg Response Time

I am trying to get this for event_b and event_c as well in same search SPL and expecting final output with two fields only MAS_A_B_C and Avg Response Time

skv
  • 100
  • 10

1 Answers1

2

Is this what you are after? Some sample events may help with your query.

sourcetype="app" eventtype in (event_a,event_b,event_c) 
| eval time_value=coalesce(time_a, time_b, time_c)
| eval MAS_value =coalesce(MAS_A,MAS_B,MAS_C)
| stats avg(time_value) as "Avg Response Time" BY MAS_value 
| eval Avg Response Time=round('Avg Response Time',2)
Simon Duff
  • 2,631
  • 2
  • 7
  • 15
  • Worked Great. I think coalesce in SQL and in Splunk is totally different. What if i have NULL value and want to display NULL also – skv Mar 17 '20 at 19:54
  • Can you check my other question too that is similar to this one. but i am expecting stats for every event MAS filed as separate column – skv Mar 17 '20 at 20:09
  • coalesce will return the first NULL value, so if you need to show it, coalesce probably isnt applicable in that use-case. I will look at the next issue shortly – Simon Duff Mar 17 '20 at 23:18