Archive

operations or statistics on rows and cells in multi-line event table

tippy
New Member

I have an entry in /var/log/messages which contains a string of multiple sets of 6 keypairs (pairdelim="," kvdelim=":" mv_add=true). This easily forms a table - and depending on the event - it will contain any number of rows.

i.e.

column1 column2 column3 column4 column5 column6
A1 B1 C1 D1 E1 F1
A2 B2 C2 D2 E2 F2 ...
An Bn Cn Dn En Fn

How can I perform operations which are based on the values in these rows, i.e. select the row where Column2 is B2 and tell me the value of Column6 (in this case, F2). Or add up all the F2's over time?

(Even clicking a table header cell (which would normally toggle a sort) does nothing for these multi-line events).

0 Karma

sundareshr
Legend

If the number of columns is constant and number of values per columns will always be the same across all columns, you could do something like this

your search here | eval z=mvzip(col1, mvzip(col2, mvzip(col3, mvzip(col4, col)))))  | table z | mvexpand z

With this you have have a table where each value is a separate row. You filter this data as you would any other. For example you could use addcoltotals to add up all F2s over time (http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Addcoltotals)

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!