Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I format the display of multiple cells per line?

mclane1
Path Finder
‎10-19-2018 08:03 AM

Please look at this example :

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 | eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 | eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 | eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application

Results :
Show result in splunk

I would like to add some pipes to change the result like this:

|Application|TX_P1    |TX_P2     |TX_P3       |TX_P4         |
| App1      |0/1(100%)|5/10(50%) |50/100(50%) |500/1000(50%) |
| App2      |1/2(50%) |15/20(25%)|150/200(25%)|1500/2000(25%)|
Tags (2)
Preview file
19 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mclane1
Path Finder
‎10-24-2018 08:14 AM

Thanks to @maciep and @renjith.nair

I didn't know the foreach command.

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 
 | eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 
 | eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 
 | eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
 | streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
 | where Source="inc"
 | foreach TX_* [eval new_<<MATCHSTR>>=<<FIELD>>."/".PREV_<<MATCHSTR>>." (".(100-(100*(<<FIELD>>/PREV_<<MATCHSTR>>)))."%)"]
 | foreach new_* [eval TX_<<MATCHSTR>>=<<FIELD>>]
 | fields - PREV_*, new_*, Source, _time

Regards,

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mclane1
Path Finder
‎10-24-2018 08:14 AM

Thanks to @maciep and @renjith.nair

I didn't know the foreach command.

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 
 | eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 
 | eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 
 | eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
 | streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
 | where Source="inc"
 | foreach TX_* [eval new_<<MATCHSTR>>=<<FIELD>>."/".PREV_<<MATCHSTR>>." (".(100-(100*(<<FIELD>>/PREV_<<MATCHSTR>>)))."%)"]
 | foreach new_* [eval TX_<<MATCHSTR>>=<<FIELD>>]
 | fields - PREV_*, new_*, Source, _time

Regards,

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-24-2018 06:43 PM

@mclane1, glad it worked. If any of the answers or comments helped you, feel free to vote

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎10-19-2018 12:35 PM

Do you want all these columns separated by | in one single column?

0 Karma
Reply
Solved! Jump to solution

mclane1
Path Finder
‎10-24-2018 01:58 AM

No, just columns without "|" I don't find how to make an array in this tools

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-19-2018 08:55 AM

@mclane1,

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 
| eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 
| eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 
| eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
|streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
|where Source="inc"
|eval X1=100-(TX_P1*100)/PREV_P1,TX_P1=TX_P1."/".PREV_P1."(".X1."%)",
      X2=100-(TX_P2*100)/PREV_P2,TX_P2=TX_P2."/".PREV_P2."(".X2."%)",
      X3=100-(TX_P3*100)/PREV_P3,TX_P3=TX_P3."/".PREV_P3."(".X3."%)",
      X4=100-(TX_P4*100)/PREV_P4,TX_P4=TX_P4."/".PREV_P4."(".X4."%)"
|fields - PREV*,_time,Source,X*
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...