topic Re: How to create multivalue field from single value fields? in Splunk Search

How to create multivalue field from single value fields?

ohlafl — Fri, 24 Jul 2015 17:24:05 GMT

I have several fields containing machine performance data named as CPUload and RAMload etcetera. They are dynamically calculated by searches such as eval value=if(valueFromSource > 0, "Value is: " "N/A"). These fields are to be concatenated into one row in a table column called "Operations" and the column to the left contains the name of the machine.

This almost works, but whenever I try to write something that would print this row as:

CPU load: 5%, RAM load: 10%

... it always ends up looking like this:

CPU load: 5%,
RAM load: 10%,

What am I doing wrong? I have tried everything from concatenating strings to multivalue operations, but whatever angle I try, it always turns out the same. I suspect that what I want to do is to create a multivalue field from two single value fields, but I am honestly not sure... any takers on this?

Re: How to create multivalue field from single value fields?

richgalloway — Fri, 24 Jul 2015 18:01:34 GMT

It would be helpful to see the queries you've tried that came close to what you want.

Have you tried something like this?

... | eval Operations=CPUload.", ".RAMload | table machineName Operations

Re: How to create multivalue field from single value fields?

ohlafl — Fri, 24 Jul 2015 18:22:53 GMT

The last part of the query:

stats list(host) as Server list(operations) as Operations by Environment

The machines have to be listed by the respective server and then the Operations row by its respective machine.

Re: How to create multivalue field from single value fields?

woodcock — Fri, 24 Jul 2015 20:00:21 GMT

You need to do something like this (building your magastring before the stats😞

... | eval operations="host=" . host . ", CPUload=" . CPUload . ", RAMload=" . RAMload . ", SomeValue=" . if(valueFromSource<0, valueFromSource, "N/A") | stats list(operations) as Operations by Environment

Re: How to create multivalue field from single value fields?

somesoni2 — Fri, 24 Jul 2015 21:32:37 GMT

Just add following to end of your search

...Your current search ....| nomv Operations

Re: How to create multivalue field from single value fields?

ohlafl — Sat, 25 Jul 2015 11:04:04 GMT

This would of worked if there was only one machine per environment but since there can up to four of them this happened:

CPU load: 5%, RAM load: 10%, Some Value: 4%, CPU load: 5%, RAM load: 10%, Some Value: 4%, CPU load: 5%, RAM load: 10%, Some Value: 4%

Everything on one row instead of:

CPU load: 56%, RAM load: 10%, Some Value: 23%, 
CPU load: 3%, RAM load: 15%, Some Value: 42%, 
CPU load: 1%, RAM load: 1%, Some Value: 46%,

One row with three results per machine. Is this expected or have I done something wrong? I tried running makemv delim="," Operations| eval Operations=mvappend(CPUStatus, MemStatus) etcetera but the result was the same.