topic Re: Data spliting in Reporting

Data spliting

prathapkcsc — Wed, 05 Apr 2017 11:45:45 GMT

i have a data like this
ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47
like 10 rows
i want to store the above data in table format and i need to generate the visualization like for particular ip address,how much memory consuming .

when i am giving
source=my base search | table ip,value

after executing this,its giving me only 1st row.How to get the remaining all
Can anyone help me how to crack this
Thank you

Re: Data spliting

DalJeanis — Wed, 05 Apr 2017 15:11:17 GMT

Is the above data all in a single record, or is it in individual records?

Re: Data spliting

DalJeanis — Wed, 05 Apr 2017 15:21:52 GMT

This just generates some test records with your sample data. Now, what did you want your visualization to look like?

| makeresults 
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"
| rex field=allmydata max_match=0 "(?<thedata>ip = ([\d\.]+) , value = (\d+))"
| fields thedata
| mvexpand thedata
| rex field=thedata max_match=0 "ip = (?<ip>[\d\.]+) , value = (?<value>\d+)"
| table ip value

Re: Data spliting

prathapkcsc — Wed, 05 Apr 2017 15:25:21 GMT

The value

Re: Data spliting

prathapkcsc — Wed, 05 Apr 2017 15:27:23 GMT

It is a text with 10 rows of data coming from the linux script.Here the value changes dynamically.

Re: Data spliting

DalJeanis — Wed, 05 Apr 2017 17:09:28 GMT

 | chart sum(value) as value by ip

Re: Data spliting

prathapkcsc — Wed, 05 Apr 2017 17:13:16 GMT

The value field comes from the text dynamically...the value field is the free memory of the datanode..that gives different values every time..but in your solution you hardcoded value field..

Re: Data spliting

DalJeanis — Wed, 05 Apr 2017 17:14:33 GMT

Okay, the sample code, from line 6 on, will handle pulling the data out of any event where it is present as multiple data lines such as the sample data in lines 2-5. If the _time field is present on the event and you are looking for CPU usage across time, then be sure to include _time in the table command in line 10.

Re: Data spliting

prathapkcsc — Wed, 05 Apr 2017 17:23:26 GMT

I wrote a script that checks how much cpu,memory consuming the datanodes..that details would store in one text file..
I have 10 datanodes,so for each datanode one different value will come dynamically.for that i need to store in table and have to generate one graph which shows the freee memory status of the corresponding node...

Re: Data spliting

prathapkcsc — Wed, 05 Apr 2017 17:33:19 GMT

Re: Data spliting

DalJeanis — Wed, 05 Apr 2017 20:24:06 GMT

Replace lines 1-2 with your actual data. Use the same format as your sample.

ip = xxx.xxx.xxx.xxx , value = xxxx

Re: Data spliting

prathapkcsc — Thu, 06 Apr 2017 02:26:39 GMT

ip = xxx.xxx.xxx.xxx , value = xxxx

Can i give same above in eval command??

Re: Data spliting

prathapkcsc — Thu, 06 Apr 2017 04:15:21 GMT

Thank you somuch DalJeanis..It works absolutely fine...Awesome 😄
kudos to you

Re: Data spliting

DalJeanis — Thu, 06 Apr 2017 14:06:32 GMT

You are very welcome.

I would expect that you would want to also track this over time. If you'd like to do that, then post a new question and the community can give you suggestions about how to do that. (Basically, you'd want to add a date/time stamp to the data, break the data up into individual records, and output that either to a csv or a summary index so that you could read it in later without going to the individual fiels.)

Re: Data spliting

prathapkcsc — Sat, 08 Apr 2017 09:00:35 GMT

Hey in eval expression we are giving the values manually right?
My requirement is that it has pick all the values dynamically.
Is there any way to do it that?

Re: Data spliting

prathapkcsc — Sat, 08 Apr 2017 09:58:34 GMT

eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

i need to avoid these thing.Splunk has to pick all the rows in the event automatically..

Can you tell me