All Apps and Add-ons

Data formatting

shugup2923
Path Finder

Hi ,
In one of my field I have data in below format , I want data to be displayed day wise, like time for each day separately 
Any suggestions ?

Mon-Sat: 10AM-9PM, Sun: 11AM-6PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 6pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Is that a single event or 10 events?  Please provide a mock-up of the desired results.

---
If this reply helps you, Karma would be appreciated.
0 Karma

shugup2923
Path Finder

These are separate events -
desired output -
Store Monday Tuesday Wednesday Thursday Friday Saturday Sunday 
  abc          9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm
  xyz          9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm
so on.....

There are multiple field as well but my target is to  break time field in separate days.



0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There might be an easier way to do this but try:

| makeresults
| eval _raw="Mon-Sat: 10AM-9PM, Sun: 11AM-6PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 6pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM"
| multikv noheader=t
| table _raw



| streamstats count as store
| eval times=split(_raw,",")
| mvexpand times
| eval times=trim(times)
| fields - _raw
| rex field=times "(?<day>[^:]+): (?<hours>.+)"
| eval day=split(day,"-")
| eval startday=mvindex(day,0)
| eval endday=mvindex(day,1)
| eval startdaynumber=case(startday="Mon",0,startday="Tue",1,startday="Wed",2,startday="Thu",3,startday="Fri",4,startday="Sat",5,startday="Sun",6)
| eval enddaynumber=case(endday="Mon",0,endday="Tue",1,endday="Wed",2,endday="Thu",3,endday="Fri",4,endday="Sat",5,endday="Sun",6)
| eval dayrange=mvrange(startdaynumber,enddaynumber+1)
| mvexpand dayrange
| eval daynumber=if(dayrange="",startdaynumber,dayrange)
| eval day=case(daynumber=0,"Mon",daynumber=1,"Tue",daynumber=2,"Wed",daynumber=3,"Thu",daynumber=4,"Fri",daynumber=5,"Sat",daynumber=6,"Sun")
| table day hours store
| xyseries store day hours
| table store Mon Tue Wed Thu Fri Sat Sun
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...