Statistics 如何在Splunk中合并两个统计信息？_Statistics_Splunk_Splunk Query

Statistics 如何在Splunk中合并两个统计信息？

statistics

Statistics 如何在Splunk中合并两个统计信息？,statistics,splunk,splunk-query,Statistics,Splunk,Splunk Query,我想要一个图表来显示值。一个搜索是 index="cumu_open_csv" Assignee="ram" | eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0) | stats count(eval(open_field=1)) AS Open, count(eval

我想要一个图表来显示值。一个搜索是

index="cumu_open_csv"  Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created

这给了我一张桌子

同样，我还有另一个搜索

 index="cumu_open_csv"  Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) As DueOpen by CW_DueDate

这给了我另一张桌子

我尝试使用appendcols将这两个表合并起来，但是X轴只创建了CW_，并且以错误的CW显示了第二个表的详细信息

我希望CW_Created和CW_Duedate合并在一起，并在单个表中提供结果，如CW、Open、Close、DueCount，只要DueCount不是针对特定CW，请将其填充为0，其他人则显示类似的数据

CW      |Open     |Close    |DueCount
CW27    |7        |0        |0
CW28    |2        |0        |0
CW29    |0        |0        |4
CW30    |0        |7        |3
CW31    |0        |0        |1
CW32    |0        |0        |1

appendcols命令使用起来有点棘手。主搜索和子搜索中的事件以一对一的方式配对，不考虑任何字段值。这意味着事件CW27将与CW29、CW28与CW30匹配，依此类推

请改用append命令。子搜索的结果将跟随主搜索的结果，但是可以使用stats命令来合并它们

index="cumu_open_csv"  Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created
| append [ index="cumu_open_csv"  Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) As DueOpen by CW_DueDate ]
| eval CW = coalesce(CW_Created, CW_DueDate)
| stats values(*) as * by CW

这可能就是你要找的

index="cumu_open_csv"  Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created
| rename CW_Created as CW
| join type=outer CW
    [| search index="cumu_open_csv"  Assignee="ram"
    | eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
    | stats count(eval(open_field=1)) As DueOpen by CW_DueDate
    | rename CW_DueDate as CW ]

或者可能是：

index="cumu_open_csv"  Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| eval CW=if(len(CW_Created)>1,CW_Created,CW_DueDate)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed, count(eval(open_field=1)) as DueOpen by CW

样本数据将使这一点更容易尝试帮助您

这在xaxis中再次给出，只有CW_Creaed…CW27、28和CW30才会出现