Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Can you help me display 2 different fields from a ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-23-2018
08:36 AM
Hello
I want to display in the same line of my table the fields FullChargedCapacity DesignedCapacity by host.
Actually, I have a line for FullChargedCapacity and a line for DesignedCapacity.
I think I have to do a stats values somewhere but I'm not succeeding.
Could you help me please??
index="windows-wmi" sourcetype="WMI:BatteryFull"
| append [ search index="windows-wmi" sourcetype="wmi:BatteryStatic" ]
|table _time host FullChargedCapacity DesignedCapacity
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-24-2018
10:24 AM
Try this:
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic"
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
macadminrohit
Contributor
11-28-2018
02:38 PM
| makeresults
| eval Event1="xyz;1"
| makemv Event1 delim=";"
| eval host=mvindex(Event1,0)
| eval FullChargedCapacity=mvindex(Event1,1)
| append
[| makeresults
| eval Event2="xyz;2"
| makemv Event2 delim=";"
| eval host=mvindex(Event2,0)
| eval DesignedCapacity=mvindex(Event2,1) ] | table DesignedCapacity FullChargedCapacity host | stats values(DesignedCapacity) values(FullChargedCapacity) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-24-2018
10:24 AM
Try this:
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic"
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-24-2018
11:03 PM
hi it's good but is it possible to have all the events instead the last event??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-28-2018
09:25 AM
Change first to list or values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
11-23-2018
11:05 AM
try this:
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic"
|table _time host FullChargedCapacity DesignedCapacity
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-23-2018
09:13 PM
its the same thing because the timestamp for FullChargedCapacity and for DesignedCapacity is each time a little different
example :
2018-11-24 06:06:20.301 for FullChargedCapacity
2018-11-24 06:06:20.088 for DesignedCapacity
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-24-2018
12:34 AM
I have done this but there is a shift when the time is not exactly the same
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic" | eval time = strftime(_time, "%m/%d/%Y %H:%M:%S")
|stats values(FullChargedCapacity) as FullChargedCapacity, values(DesignedCapacity) as DesignedCapacity BY host, time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
11-24-2018
07:55 AM
each event has its own timestamp, what is your final goal?
you can use the | filldown command to append the null results to each of the lines
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
