topic Re: Extract more values for the same item in one row in Splunk Search

Extract more values for the same item in one row

atelesca — Fri, 21 Sep 2012 13:39:19 GMT

Hello,
I have the following output of a script:
fcs1 0 0 0 1 0 1 0 1 1 1
fcs2 0 0 0 1 1 1 0 0 0 0
fcs3 0 0 0 1 1 1 1 1 0 0

where the first word is the device name and the 0-1 values represent the statuses of the ports.
Could you help in extracting the status and associate it with the port number?
I would like to be able to extract:
port=1 status=0
port=2 status=0
port=3 status=0
port=4 status=1
port=5 status=0
...
for each device.
In this way, I can plot the status by port.

Does anyone know how to do it?
Thanks
Adriana

Re: Extract more values for the same item in one row

sdaniels — Fri, 21 Sep 2012 14:24:09 GMT

Assuming each line is one event. You can put these in the appropriate files under your user at /etc/users//local. If the file doesn't exist just create a new file for it.

Once the data is broken into the different port numbers you can do a search like this:

sourcetype="your_sourcetype" | table PortName, Port1, Port2, Port3, Port4, Port5, Port6, Port7, Port8, Port9, Port10

inputs.conf

[monitor:///Users/path/path/file.txt]
disabled = false
followTail = 0
sourcetype = your_sourcetype

props.conf

[your_sourcetype]
SHOULD_LINEMERGE = false
REPORT-testdata = your_extractions

transforms.conf

[your_extractions]
DELIMS = " "
FIELDS = "PortName", "Port1", "Port2","Port3", "Port4","Port5", "Port6","Port7", "Port8","Port9", "Port10"

Re: Extract more values for the same item in one row

atelesca — Fri, 21 Sep 2012 14:26:41 GMT

Hello, thanks for your answer. I though of that, but then I don't know how to have a graph showing the different status by port number. Do you have any idea of how to do that?

Re: Extract more values for the same item in one row

sdaniels — Fri, 21 Sep 2012 14:30:28 GMT

What do you want the graph to look like?

Re: Extract more values for the same item in one row

atelesca — Fri, 21 Sep 2012 14:33:42 GMT

I would like a column graph where the columns is the status (0-1) in correspondence of the port number (1-2-3-4).
x1=1 y1=Port1 x2=2 y2=Port2 x3=3 y3=Port3

Re: Extract more values for the same item in one row

sdaniels — Fri, 21 Sep 2012 14:42:24 GMT

If you put this to a chart you will get a column chart with a legend that has a color for each Port. With this data I have three Port Names on the x axis and for each one there is a bar for value 1 or nothing if it is 0.