Re: Data formatting

shugup2923 · ‎08-03-2021

Hi ,
In one of my field I have data in below format , I want data to be displayed day wise, like time for each day separately
Any suggestions ?

Mon-Sat: 10AM-9PM, Sun: 11AM-6PM

Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM

Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm

Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM

Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm

Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM

Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 6pm

Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM

richgalloway · ‎08-03-2021

Is that a single event or 10 events? Please provide a mock-up of the desired results.

---
If this reply helps you, Karma would be appreciated.

shugup2923 · ‎08-03-2021

These are separate events -
desired output -
Store Monday Tuesday Wednesday Thursday Friday Saturday Sunday
abc 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm
xyz 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm 9am-10pm
so on.....

There are multiple field as well but my target is to break time field in separate days.

ITWhisperer · ‎08-03-2021

There might be an easier way to do this but try:

| makeresults
| eval _raw="Mon-Sat: 10AM-9PM, Sun: 11AM-6PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 7pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM
Mon-Wed: 9:30am - 9pm, Thu: 9:30am - 9pm, Fri: 9:30am - 9pm, Sat: 9am - 9pm, Sun: 10am - 6pm
Mon-Sat: 9:30AM-9:30PM, Sun: 10AM-8PM"
| multikv noheader=t
| table _raw



| streamstats count as store
| eval times=split(_raw,",")
| mvexpand times
| eval times=trim(times)
| fields - _raw
| rex field=times "(?<day>[^:]+): (?<hours>.+)"
| eval day=split(day,"-")
| eval startday=mvindex(day,0)
| eval endday=mvindex(day,1)
| eval startdaynumber=case(startday="Mon",0,startday="Tue",1,startday="Wed",2,startday="Thu",3,startday="Fri",4,startday="Sat",5,startday="Sun",6)
| eval enddaynumber=case(endday="Mon",0,endday="Tue",1,endday="Wed",2,endday="Thu",3,endday="Fri",4,endday="Sat",5,endday="Sun",6)
| eval dayrange=mvrange(startdaynumber,enddaynumber+1)
| mvexpand dayrange
| eval daynumber=if(dayrange="",startdaynumber,dayrange)
| eval day=case(daynumber=0,"Mon",daynumber=1,"Tue",daynumber=2,"Wed",daynumber=3,"Thu",daynumber=4,"Fri",daynumber=5,"Sat",daynumber=6,"Sun")
| table day hours store
| xyseries store day hours
| table store Mon Tue Wed Thu Fri Sat Sun

Data formatting

search

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!