Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I format the display of multiple cells per line?

mclane1
Path Finder
‎10-19-2018 08:03 AM

Please look at this example :

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 | eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 | eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 | eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application

Results :
Show result in splunk

I would like to add some pipes to change the result like this:

|Application|TX_P1    |TX_P2     |TX_P3       |TX_P4         |
| App1      |0/1(100%)|5/10(50%) |50/100(50%) |500/1000(50%) |
| App2      |1/2(50%) |15/20(25%)|150/200(25%)|1500/2000(25%)|
Tags (2)
Preview file
19 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mclane1
Path Finder
‎10-24-2018 08:14 AM

Thanks to @maciep and @renjith.nair

I didn't know the foreach command.

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 
 | eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 
 | eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 
 | eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
 | streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
 | where Source="inc"
 | foreach TX_* [eval new_<<MATCHSTR>>=<<FIELD>>."/".PREV_<<MATCHSTR>>." (".(100-(100*(<<FIELD>>/PREV_<<MATCHSTR>>)))."%)"]
 | foreach new_* [eval TX_<<MATCHSTR>>=<<FIELD>>]
 | fields - PREV_*, new_*, Source, _time

Regards,

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mclane1
Path Finder
‎10-24-2018 08:14 AM

Thanks to @maciep and @renjith.nair

I didn't know the foreach command.

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 
 | eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 
 | eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 
 | eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
 | streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
 | where Source="inc"
 | foreach TX_* [eval new_<<MATCHSTR>>=<<FIELD>>."/".PREV_<<MATCHSTR>>." (".(100-(100*(<<FIELD>>/PREV_<<MATCHSTR>>)))."%)"]
 | foreach new_* [eval TX_<<MATCHSTR>>=<<FIELD>>]
 | fields - PREV_*, new_*, Source, _time

Regards,

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-24-2018 06:43 PM

@mclane1, glad it worked. If any of the answers or comments helped you, feel free to vote

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎10-19-2018 12:35 PM

Do you want all these columns separated by | in one single column?

0 Karma
Reply
Solved! Jump to solution

mclane1
Path Finder
‎10-24-2018 01:58 AM

No, just columns without "|" I don't find how to make an array in this tools

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-19-2018 08:55 AM

@mclane1,

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 
| eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 
| eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 
| eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
|streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
|where Source="inc"
|eval X1=100-(TX_P1*100)/PREV_P1,TX_P1=TX_P1."/".PREV_P1."(".X1."%)",
      X2=100-(TX_P2*100)/PREV_P2,TX_P2=TX_P2."/".PREV_P2."(".X2."%)",
      X3=100-(TX_P3*100)/PREV_P3,TX_P3=TX_P3."/".PREV_P3."(".X3."%)",
      X4=100-(TX_P4*100)/PREV_P4,TX_P4=TX_P4."/".PREV_P4."(".X4."%)"
|fields - PREV*,_time,Source,X*
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...