Dashboards & Visualizations

How to merge multivalue value field in a single value

kalaiyarasi
Loves-to-Learn Lots

I have field called URN, ControlFlowID, RequestID and SpanID

Requirement is to get data for each URN,how many controlflowid and for each controlflowID, how many requestID and for each requestID how many SpanID needs to populate data in a table view by merging multivalue in a single row. can anyone help me on this.

Eg:

URN    ControlFlowID     RequestID      SpanID

URN1    CTRLFLOW1       REQ1               SpanID1

URN1     CTRLFLOW1       REQ2             SpanID2

URN1      CTRLFLOW1     REQ3               SpanID3

Requirement as below:

URN    ControlFlowID     RequestID      SpanID

                CTRLFLOW1        REQ1              SpanID1

URN1                                       REQ2               SpanID2

                 CTRLFLOW2        REQ3                SpanID3

Labels (1)
0 Karma

kalaiyarasi
Loves-to-Learn Lots

okay, Thanks for the update

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you mean something like this

| stats values(ControlFlowID) as ControlFlowID values(RequestID) as RequestID values(SpanID) as SpanID by URN
0 Karma

kalaiyarasi
Loves-to-Learn Lots

Hi,

Thanks much for your reply. But the above one  will give result by comparing URN with all fields, but my requirement is, number of controlflowid for each URN and number of requestid for each controlflowid and number of spanid for each requestid  as tree view

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Like this?

| stats count by URN ControlFlowID RequestID SpanID
0 Karma

kalaiyarasi
Loves-to-Learn Lots

we need to display it as a tree structured view as below

 

kalaiyarasi_0-1655473226995.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Standard table visualisations don't work like that.

If you wanted to spend the effort, you could append streamstats to the previous search to copy each field to the row below and clear out the field if it is the same as the previous. The downside to this is that when you try to sort the table by any of the columns, it will lose its integrity. Also, if you wanted to drilldown from any of the cells, you may not be able to access the value from the first column. You might want to reconsider whether what you are asking for is going to be the best way forward.

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...