Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Can you help me display 2 different fields fro...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-23-2018
08:36 AM
Hello
I want to display in the same line of my table the fields FullChargedCapacity DesignedCapacity by host.
Actually, I have a line for FullChargedCapacity and a line for DesignedCapacity.
I think I have to do a stats values somewhere but I'm not succeeding.
Could you help me please??
index="windows-wmi" sourcetype="WMI:BatteryFull"
| append [ search index="windows-wmi" sourcetype="wmi:BatteryStatic" ]
|table _time host FullChargedCapacity DesignedCapacity
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-24-2018
10:24 AM
Try this:
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic"
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
macadminrohit
Contributor
11-28-2018
02:38 PM
| makeresults
| eval Event1="xyz;1"
| makemv Event1 delim=";"
| eval host=mvindex(Event1,0)
| eval FullChargedCapacity=mvindex(Event1,1)
| append
[| makeresults
| eval Event2="xyz;2"
| makemv Event2 delim=";"
| eval host=mvindex(Event2,0)
| eval DesignedCapacity=mvindex(Event2,1) ] | table DesignedCapacity FullChargedCapacity host | stats values(DesignedCapacity) values(FullChargedCapacity) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-24-2018
10:24 AM
Try this:
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic"
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-24-2018
11:03 PM
hi it's good but is it possible to have all the events instead the last event??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-28-2018
09:25 AM
Change first to list or values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
11-23-2018
11:05 AM
try this:
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic"
|table _time host FullChargedCapacity DesignedCapacity
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-23-2018
09:13 PM
its the same thing because the timestamp for FullChargedCapacity and for DesignedCapacity is each time a little different
example :
2018-11-24 06:06:20.301 for FullChargedCapacity
2018-11-24 06:06:20.088 for DesignedCapacity
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-24-2018
12:34 AM
I have done this but there is a shift when the time is not exactly the same
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic" | eval time = strftime(_time, "%m/%d/%Y %H:%M:%S")
|stats values(FullChargedCapacity) as FullChargedCapacity, values(DesignedCapacity) as DesignedCapacity BY host, time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
11-24-2018
07:55 AM
each event has its own timestamp, what is your final goal?
you can use the | filldown command to append the null results to each of the lines
Get Updates on the Splunk Community!
Index This | Why did the turkey cross the road?
November 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Feel the Splunk Love: Real Stories from Real Customers
Hello Splunk Community,
What’s the best part of hearing how our customers use Splunk? Easy: the positive ...
