Dashboards & Visualizations

How to create search do calculations and make it like Excel row data?

FcwfCW76
Explorer
Hi, all!
I have a table

FcwfCW76_0-1644419654330.png

I want to be like this

FcwfCW76_1-1644418803423.png

How can I do this?
Can help me?

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="A,1,2,3,4,HI,HELLO,OK
B,5,6,7,8,HI,HELLO,OK"
| multikv noheader=t
| rename Column_1 as name
| rename Column_2 as in
| rename Column_3 as out
| rename Column_4 as in1
| rename Column_5 as out1
| rename Column_6 as data1
| rename Column_7 as data2
| rename Column_8 as data3
| fields name in out in1 out1 data1 data2 data3
| fields - _raw _time
| transpose 0 header_field=name column_name=name
| eval C=if(isnum(A),(A*2)+B,A)
| eval D=if(isnum(A),(A*2)+(B*2),A)
| transpose 0 header_field=name column_name=name

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| transpose 0 header_field=name column_name=name
| eval C=(A*2)+B
| eval D=(A*2)+(B*2)
| transpose 0 header_field=name column_name=name

Where name is the name of the first column

FcwfCW76
Explorer

@ITWhisperer Thank you so much 

But the columns that is not a number is null, is it can to join at the same time?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you mean you don't have the first column of your table in splunk?

If so, you can add a field (column) to each row before the transpose

| streamstats count as row
| eval row="row".row
| transpose 0 header_field=row column_name=row
| eval row3=(row1*2)+row2
| eval row4=(row1*2)+(row2*2)
| transpose 0 header_field=row column_name=row
0 Karma

FcwfCW76
Explorer

@ITWhisperer Sorry I can't express clearly

858F23EB-E09D-459F-99A0-C3723C8CCBCB.png

 I want this

E262124E-1414-4073-B770-AB911631640C.png

 but now is this

E528A5A0-2D80-473D-B02D-5EAC3F76A178.png

 Thanks again for your help

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="A,1,2,3,4,HI,HELLO,OK
B,5,6,7,8,HI,HELLO,OK"
| multikv noheader=t
| rename Column_1 as name
| rename Column_2 as in
| rename Column_3 as out
| rename Column_4 as in1
| rename Column_5 as out1
| rename Column_6 as data1
| rename Column_7 as data2
| rename Column_8 as data3
| fields name in out in1 out1 data1 data2 data3
| fields - _raw _time
| transpose 0 header_field=name column_name=name
| eval C=if(isnum(A),(A*2)+B,A)
| eval D=if(isnum(A),(A*2)+(B*2),A)
| transpose 0 header_field=name column_name=name
0 Karma

FcwfCW76
Explorer

Thank you

0 Karma

FcwfCW76
Explorer

@ITWhisperer 

Thank you so much

but I still have a lot of questions

Can you give me your contact information?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...