https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114696#M23985 <P>HI,</P> <P>The solution will be much simpler if you can get the access to raw logs. In case, its not possible, you can try following approach.</P> <PRE><CODE>| inputlookup Data.csv | eval customField=[| inputlookup Data.csv | table time,busycore,cpu0,cpu1,cpu2 | fields - time busycore | transpose | fields column| eval customField = "\"".column."=\".".column.".\"~\"." | stats values(customField) as QueryValues | makemv delim="||" QueryValues | eval QueryFilter = substr(QueryValues , 1, len(QueryValues)-5) | return $QueryFilter] | makemv delim="~" customField | fields time busycore customField | mvexpand customField | eval customField = split(customField ,"=") | eval cpuName = mvindex(customField, 0) | eval cpuUsage=mvindex(customField, 1) | eventstats max(cpuUsage) as maxUsageByTime by time | eval maxCheck=if(cpuUsage==maxUsageByTime,"Yes","NO") </CODE></PRE> <P>Here is an explanation:</P> <OL> <LI>Load the data : *<EM>| inputlookup Data.csv *</EM></LI> <LI>Dynamically construct a customField which will have value like <STRONG>"cpu0=".cpu0."~". "cpu1=".cpu1."~". "cpu2=".cpu2</STRONG>. This value will change depending on the number of CPU information you have in the data. The subsearch dynamically construct the string similar to above string.</LI> <LI>Rearrange the data as multiple events so that stats function can be used. All the events with <STRONG>maxCheck=Yes</STRONG> are the maximum value for that time.</LI> </OL> <P>Thanks!!</P> Wed, 20 May 2015 11:49:33 GMT vganjare 2015-05-20T11:49:33Z https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114695#M23984 <P>Hi,</P> <P>I have a csv file, and i don't have access to raw data. csv file is created by some other software.<BR /> its structure is like:</P> <P>time busycore cpu0 cpu1 cpu2<BR /> 01:20:30 1 20% 50% 10%<BR /> 01:28:30 0 80% 30% 40%<BR /> 01:30:25 1 40% 90% 30%</P> <P>i have to plot a graph showing at which time which cpu was busiest one and the value of that cpu.<BR /> for example at 01:20:30 busycore is 1 means cpu1 was busiest and it was used by 50%.<BR /> graph should show at 01:20:30 cpu1 was busiest and used by 50%.<BR /> any graph is ok with me. it can be bubble or scatter anything.</P> <P>Thanks</P> Wed, 20 May 2015 08:49:27 GMT https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114695#M23984 ektasiwani 2015-05-20T08:49:27Z https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114696#M23985 <P>HI,</P> <P>The solution will be much simpler if you can get the access to raw logs. In case, its not possible, you can try following approach.</P> <PRE><CODE>| inputlookup Data.csv | eval customField=[| inputlookup Data.csv | table time,busycore,cpu0,cpu1,cpu2 | fields - time busycore | transpose | fields column| eval customField = "\"".column."=\".".column.".\"~\"." | stats values(customField) as QueryValues | makemv delim="||" QueryValues | eval QueryFilter = substr(QueryValues , 1, len(QueryValues)-5) | return $QueryFilter] | makemv delim="~" customField | fields time busycore customField | mvexpand customField | eval customField = split(customField ,"=") | eval cpuName = mvindex(customField, 0) | eval cpuUsage=mvindex(customField, 1) | eventstats max(cpuUsage) as maxUsageByTime by time | eval maxCheck=if(cpuUsage==maxUsageByTime,"Yes","NO") </CODE></PRE> <P>Here is an explanation:</P> <OL> <LI>Load the data : *<EM>| inputlookup Data.csv *</EM></LI> <LI>Dynamically construct a customField which will have value like <STRONG>"cpu0=".cpu0."~". "cpu1=".cpu1."~". "cpu2=".cpu2</STRONG>. This value will change depending on the number of CPU information you have in the data. The subsearch dynamically construct the string similar to above string.</LI> <LI>Rearrange the data as multiple events so that stats function can be used. All the events with <STRONG>maxCheck=Yes</STRONG> are the maximum value for that time.</LI> </OL> <P>Thanks!!</P> Wed, 20 May 2015 11:49:33 GMT https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114696#M23985 vganjare 2015-05-20T11:49:33Z https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114697#M23986 <P>Can you try using following query:</P> <PRE><CODE>| inputlookup Data.csv | eval customField=[| inputlookup Data.csv | fields - time busycore | transpose | fields column| eval customField = "\"".column."=\".".column.".\"~\"." | stats values(customField) as QueryValues | makemv delim="||" QueryValues | eval QueryFilter = substr(QueryValues , 1, len(QueryValues)-5) | return $QueryFilter] | makemv delim="~" customField | fields time busycore customField | mvexpand customField | eval customField = split(customField ,"=") | eval cpuName = mvindex(customField, 0) | eval cpuUsage=mvindex(customField, 1) | eventstats max(cpuUsage) as maxUsageByTime by time | eval maxCheck=if(cpuUsage==maxUsageByTime,"Yes","NO") </CODE></PRE> <P>Thanks!!</P> Wed, 20 May 2015 12:29:26 GMT https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114697#M23986 vganjare 2015-05-20T12:29:26Z https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114698#M23987 <P>Sorry my mistake, now i am getting output. but for single time i am getting 4 entry , 3 entry showing 'no' and one entry showing ' yes'.<BR /> I want to remove all three "no" entries. <BR /> Can we use if condition to do that. <BR /> i mean just check busycore value and then match it with last digit of cpu0,cpu1 and cpu2.<BR /> if both are same keep data else ignore.</P> <P>Thanks ..:)</P> Wed, 20 May 2015 18:35:18 GMT https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114698#M23987 ektasiwani 2015-05-20T18:35:18Z https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114699#M23988 <P>I did same using where. Thanks</P> Wed, 20 May 2015 18:37:14 GMT https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114699#M23988 ektasiwani 2015-05-20T18:37:14Z https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114700#M23989 <P>Hi @ektasiwani</P> <P>Please be sure that when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You keeping typing your response in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation. Right now, it's hard to tell who you your responses were intended for. In addition, unless the user is following the question, they won't get a notification that you posted something new. Just something to keep in mind from here on out.</P> Thu, 21 May 2015 01:51:38 GMT https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114700#M23989 ppablo 2015-05-21T01:51:38Z https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114701#M23990 <P>oopss sorry.<BR /> I will take care of that.</P> Thu, 21 May 2015 05:07:28 GMT https://community.splunk.com/t5/Getting-Data-In/data-mapping-in-csv-file-during-splunk-search/m-p/114701#M23990 ektasiwani 2015-05-21T05:07:28Z