topic how to take the values from nth field in Splunk Search

how to take the values from nth field

thambisetty — Mon, 28 Sep 2020 16:29:24 GMT

Hi all,
Below is my search...
source="computer_status_export_SEP12_Mar27.csv" | dedup "Computer Name","MAC Address1" | timechart count("Last time status changed") as count span=1d | sort - _time

_time↕ count↕

2014-03-27 24

2014-03-26 21790

2014-03-25 32439

2014-03-24 4017

2014-03-23 1336

2014-03-22 334

2014-03-21 441

2014-03-20 1540

2014-03-19 1134

2014-03-18 1874

2014-03-17 1363

2014-03-16 760

2014-03-15 261

2014-03-14 253

2014-03-13 698

2014-03-12 684

2014-03-11 541

2014-03-10 473

2014-03-09 425

Now what I want to do is I want add the count after 10 values it means from 2014-03-17 to ending so please help me.........

Re: how to take the values from nth field

martin_mueller — Tue, 29 Apr 2014 11:23:28 GMT

You could set your timerange accordingly to only search from March 17th and on.

Alternatively, you can add this to the end of your search:

... | head 11 | stats sum(count)

That will take the first eleven rows, March 27th to March 17th, and sum up their counts.

Re: how to take the values from nth field

somesoni2 — Tue, 29 Apr 2014 13:52:16 GMT

Try this

source="computer_status_export_SEP12_Mar27.csv" | dedup "Computer Name","MAC Address1" | timechart count("Last time status changed") as count span=1d | sort - _time | streamstats count as sno | eval sno=if(sno>10,11,sno) | stats first(_time) as _time sum(count) as count by sno | fields - sno

Re: how to take the values from nth field

thambisetty — Tue, 29 Apr 2014 16:28:02 GMT

that is search for first 10 values right......?
i want to combine after 10 to last value....i dont want first 10 ok

Re: how to take the values from nth field

thambisetty — Tue, 29 Apr 2014 16:30:47 GMT

and one more thing can write the code like below..
if(sno>=4,stats sum(count),if(sno>=5 and sno<=10),stats sum(count),if(sno>=11),stats sum(count))....
i think this should be understood by you please help me............

Re: how to take the values from nth field

somesoni2 — Tue, 29 Apr 2014 19:55:11 GMT

You want commulative sum after 10th value? If possible provide the expected output from the sample data you've shared.

You cant have syntax you mentioned in previous comment, but if you can tell your requirement with expected output, there may be some workarounds to get that.

Re: how to take the values from nth field

linu1988 — Tue, 29 Apr 2014 20:14:09 GMT

if the above two suggestions are not okay for you, they use a where clause to have the dates greater than 17th!! why bother about all the top 11 records or 11th record!

Re: how to take the values from nth field

thambisetty — Wed, 30 Apr 2014 15:27:55 GMT

as i mentioned in the above...
_time↕ count↕

2014-03-27 24

2014-03-26 21790

2014-03-25 32439

2014-03-24 4017

2014-03-23 1336

2014-03-22 334

2014-03-21 441

2014-03-20 1540

2014-03-19 1134

2014-03-18 1874

2014-03-11 541
i want to genarate report for first 4 days one group1,after 6 days group2,rest of as group3..
Expected Output:

Signature_Status Count

Signature <=4 count1(first 4days count)
Signature >=5 and <=10 count2(next 6 days count)
Signature >=11 count3(rest of days count)

Re: how to take the values from nth field

thambisetty — Wed, 30 Apr 2014 15:33:21 GMT

The output which i Mentioned in the above is for only one day(2014-03-27).
Now my question is i want to make the trend for before 10 days including today also..it means today(30/04/2014) to 21/04/2014---(from today to past 10 days)..
Expected Output:
Date Signature<=4 "Signature>=5and<=10" "Signature>=11"
2014-04-30 100 200 500
29
28
27
26
25
24
23
22
21

so i can make the trend....for the computer status report(this is the file where we store the status of computer details of entire domain)..
please help me................

Re: how to take the values from nth field

somesoni2 — Wed, 30 Apr 2014 15:43:31 GMT

Just to be sure, The output should be like this

Date##Signature<=4##Signature>=5and<=10##Signature>=11
04-30##Count(04-30 to 04-27)##Count(04-26 to 04-22)##Count(before 04-22)

This should be done for just today or for every day, get data for past 5, 6-10 and before 10 days? Signature is a field in your logs?