Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to chart results from an input file by similar values

ronaldsc
New Member
‎01-05-2017 01:32 PM

Hi everyone -

Hoping one of the many experts here can point me in the right direction. I have an input file with server names and contents within each server. I'd like to be able to display the data from the input file by the unique contents across each of my servers. Example below to better illustrate what I am trying to accomplish

input file contents sample - I have a csv file with the following data:

servera    serverb    serverc
box        spoon      box
spoon      straw      straw
straw                 napkin
bowl                  knife

Here is the desired output - I'd like to display the the contents across all servers and show a null or blank line for unique "contents" across all the servers.

    servera    serverb    serverc
    box                   box
    spoon      spoon
    straw      straw      straw
    bowl   
                          napkin
                          knife

Thanks for the help in advance, please let me know if I need to further explain what I'm trying to accomplish.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-05-2017 02:11 PM

Give this a try

|inputlookup filename.csv
| eval temp=1 | untable temp server content | chart max(temp) over content by server | foreach * [eval <<FIELD>>=case("<<FIELD>>"="content",content,'<<FIELD>>'=1,content)]

Tested with this run anywhere sample.

| gentimes start=-1 | eval temp="box        spoon      box# spoon      straw      straw# straw      -         napkin#bowl      -          knife" | table temp | makemv temp delim="#" | mvexpand temp | rex field=temp "(?<servera>\S+)\s+(?<serverb>\S+)\s+(?<serverc>\S+)" | table ser* | foreach * [eval <<FIELD>>=if('<<FIELD>>'="-",null(),'<<FIELD>>')] 
| eval temp=1 | untable temp server content | chart max(temp) over content by server | foreach * [eval <<FIELD>>=case("<<FIELD>>"="content",content,'<<FIELD>>'=1,content)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-05-2017 02:11 PM

Give this a try

|inputlookup filename.csv
| eval temp=1 | untable temp server content | chart max(temp) over content by server | foreach * [eval <<FIELD>>=case("<<FIELD>>"="content",content,'<<FIELD>>'=1,content)]

Tested with this run anywhere sample.

| gentimes start=-1 | eval temp="box        spoon      box# spoon      straw      straw# straw      -         napkin#bowl      -          knife" | table temp | makemv temp delim="#" | mvexpand temp | rex field=temp "(?<servera>\S+)\s+(?<serverb>\S+)\s+(?<serverc>\S+)" | table ser* | foreach * [eval <<FIELD>>=if('<<FIELD>>'="-",null(),'<<FIELD>>')] 
| eval temp=1 | untable temp server content | chart max(temp) over content by server | foreach * [eval <<FIELD>>=case("<<FIELD>>"="content",content,'<<FIELD>>'=1,content)]
0 Karma
Reply
Solved! Jump to solution

ronaldsc
New Member
‎01-05-2017 02:22 PM

This works, but I have no clue what you did. Untable just pumps the data with the temp server and content columns, correct? What is the foreach statement at the end doing exactly?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-05-2017 02:26 PM

The best way to understand the query is to run step by step. See the result change from "|inputlookup filename.csv" to "|inputlookup filename.csv | eval temp=1 | untable temp server content" . The columns have become the row labels and values of the columns are coming in a separate field called content. After that I'm charting max(temp) by content, just a placeholder to find which server has that content available. It'll 1 if a server has that content and null if it doesn't. The foreach loop is to loop through all server columns and replace 1 with the value of "content" per your desired output.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-05-2017 01:37 PM

Is the data in Splunk as indexed data OR lookup csv file? What are the field names available in Splunk for your data and are they static/dynamic?

0 Karma
Reply
Solved! Jump to solution

ronaldsc
New Member
‎01-05-2017 01:41 PM

It's a csv file - I use |inputlookup filename to show the contents. I don't have fields names the file is exactly as shown in my example. Should I change that around, pretty new to using lookup files.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-05-2017 01:46 PM

When you use |inputlookup filename.csv, there has to be some header/column name appears in Splunk. What are those? Splunk will add the first row as the field name/header automatically.

0 Karma
Reply
Solved! Jump to solution

ronaldsc
New Member
‎01-05-2017 02:03 PM

That would be the server names, so from the example I provided it shows the following:

servera serverb serverc

Below those column names it shows the contents of each server.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...