I have a existing splunk table as:
| JobAction | Status | TimeTaken(ms) | Records | Host |
|---|---|---|---|---|
| Delete | SUCCESS | 100 | 50 | Host1 |
| Delete | SUCCESS | 120 | 200 | Host1 |
| Insert | SUCCESS | 500 | 30 | Host1 |
| Insert | SUCCESS | 120 | 25 | Host1 |
I want to get the totaltime and totalrecords based on jobaction like as follows:
| JobAction | Status | Totaltime(ms) | TotalRecords | Host |
|---|---|---|---|---|
| Delete | SUCCESS | 220 | 250 | Host1 |
| Insert | SUCCESS | 620 | 55 | Host1 |
I tried doing
|stats sum(Records) as TotalRecords by host,JobAction,Status
and was able to get total records but when i do the same for timetaken it's coming as empty.
Any suggestions on how to get total time and record both based on jobaction?
Are you saying you tried
|stats sum("TimeTaken(ms)") as "Totaltime(ms)", sum(Records) as TotalRecords by host,JobAction,Status? Both calculations have to be done in the samestatscommand or you'll get empty results in the secondstatscall. That's becausestatsis a transforming command that removes any fields it doesn't use or create so any subsequentstatscall won't have the same fields to work with.