Quick tip when working with stats command

Submitted by northben on Fri, 05/12/2017 - 07:15

Categories:

splunk

When you're working with the stats command, it's often nice to rename the fields to drop the aggregatation type:

| makeresults count=3 
| streamstats count 
| eval foo="bar" 
| stats latest(foo) as foo latest(count) as count

This gets annoying because of all the extra typing involved, and it violates the DRY principal.

Instead, try this next time:

| makeresults count=3 
| streamstats count 
| eval foo="bar" 
| stats latest(foo) latest(count) 
| rename latest(*) as *

Now you don't have to type every field name!

UPDATE: I have extended this into a macro. Create a macro (I call mine "drop_agg") with this definition:

foreach *(*) [ rename <<FIELD>> as <<MATCHSEG2>> ] 
| fields - *(*)

northben's blog