All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Data formatting

shugup2923
Path Finder
‎08-03-2021 04:27 AM

Hi ,
In one of my field I have data in below format , I want data to be displayed day wise, like time for each day separately 
Any suggestions ?

Mon-Sat: 10AM-9PM, Sun: 11AM-6PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 6pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2021 05:23 AM

Is that a single event or 10 events?  Please provide a mock-up of the desired results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

shugup2923
Path Finder
‎08-03-2021 07:49 AM

These are separate events -
desired output -
Store Monday Tuesday Wednesday Thursday Friday Saturday Sunday 
  abc          9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm
  xyz          9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm
so on.....

There are multiple field as well but my target is to  break time field in separate days.



0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-03-2021 09:00 AM

There might be an easier way to do this but try:

| makeresults
| eval _raw="Mon-Sat: 10AM-9PM, Sun: 11AM-6PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 6pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM"
| multikv noheader=t
| table _raw



| streamstats count as store
| eval times=split(_raw,",")
| mvexpand times
| eval times=trim(times)
| fields - _raw
| rex field=times "(?<day>[^:]+): (?<hours>.+)"
| eval day=split(day,"-")
| eval startday=mvindex(day,0)
| eval endday=mvindex(day,1)
| eval startdaynumber=case(startday="Mon",0,startday="Tue",1,startday="Wed",2,startday="Thu",3,startday="Fri",4,startday="Sat",5,startday="Sun",6)
| eval enddaynumber=case(endday="Mon",0,endday="Tue",1,endday="Wed",2,endday="Thu",3,endday="Fri",4,endday="Sat",5,endday="Sun",6)
| eval dayrange=mvrange(startdaynumber,enddaynumber+1)
| mvexpand dayrange
| eval daynumber=if(dayrange="",startdaynumber,dayrange)
| eval day=case(daynumber=0,"Mon",daynumber=1,"Tue",daynumber=2,"Wed",daynumber=3,"Thu",daynumber=4,"Fri",daynumber=5,"Sat",daynumber=6,"Sun")
| table day hours store
| xyseries store day hours
| table store Mon Tue Wed Thu Fri Sat Sun
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...