Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Can you help me display 2 different fields from a ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-23-2018
08:36 AM
Hello
I want to display in the same line of my table the fields FullChargedCapacity DesignedCapacity by host.
Actually, I have a line for FullChargedCapacity and a line for DesignedCapacity.
I think I have to do a stats values somewhere but I'm not succeeding.
Could you help me please??
index="windows-wmi" sourcetype="WMI:BatteryFull"
| append [ search index="windows-wmi" sourcetype="wmi:BatteryStatic" ]
|table _time host FullChargedCapacity DesignedCapacity
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-24-2018
10:24 AM
Try this:
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic"
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
macadminrohit
Contributor
11-28-2018
02:38 PM
| makeresults
| eval Event1="xyz;1"
| makemv Event1 delim=";"
| eval host=mvindex(Event1,0)
| eval FullChargedCapacity=mvindex(Event1,1)
| append
[| makeresults
| eval Event2="xyz;2"
| makemv Event2 delim=";"
| eval host=mvindex(Event2,0)
| eval DesignedCapacity=mvindex(Event2,1) ] | table DesignedCapacity FullChargedCapacity host | stats values(DesignedCapacity) values(FullChargedCapacity) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-24-2018
10:24 AM
Try this:
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic"
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-24-2018
11:03 PM
hi it's good but is it possible to have all the events instead the last event??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-28-2018
09:25 AM
Change first to list or values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
11-23-2018
11:05 AM
try this:
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic"
|table _time host FullChargedCapacity DesignedCapacity
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-23-2018
09:13 PM
its the same thing because the timestamp for FullChargedCapacity and for DesignedCapacity is each time a little different
example :
2018-11-24 06:06:20.301 for FullChargedCapacity
2018-11-24 06:06:20.088 for DesignedCapacity
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
11-24-2018
12:34 AM
I have done this but there is a shift when the time is not exactly the same
index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic" | eval time = strftime(_time, "%m/%d/%Y %H:%M:%S")
|stats values(FullChargedCapacity) as FullChargedCapacity, values(DesignedCapacity) as DesignedCapacity BY host, time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
11-24-2018
07:55 AM
each event has its own timestamp, what is your final goal?
you can use the | filldown command to append the null results to each of the lines
Get Updates on the Splunk Community!
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...
Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...
