Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to merge multivalue value field in a single value

kalaiyarasi
Loves-to-Learn Lots
‎06-17-2022 02:17 AM

I have field called URN, ControlFlowID, RequestID and SpanID

Requirement is to get data for each URN,how many controlflowid and for each controlflowID, how many requestID and for each requestID how many SpanID needs to populate data in a table view by merging multivalue in a single row. can anyone help me on this.

Eg:

URN    ControlFlowID     RequestID      SpanID

URN1    CTRLFLOW1       REQ1               SpanID1

URN1     CTRLFLOW1       REQ2             SpanID2

URN1      CTRLFLOW1     REQ3               SpanID3

Requirement as below:

URN    ControlFlowID     RequestID      SpanID

                CTRLFLOW1        REQ1              SpanID1

URN1                                       REQ2               SpanID2

                 CTRLFLOW2        REQ3                SpanID3

Labels (1)
Labels
0 Karma
Reply

kalaiyarasi
Loves-to-Learn Lots
‎06-17-2022 07:51 AM

okay, Thanks for the update

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 04:15 AM

Do you mean something like this

| stats values(ControlFlowID) as ControlFlowID values(RequestID) as RequestID values(SpanID) as SpanID by URN
0 Karma
Reply

kalaiyarasi
Loves-to-Learn Lots
‎06-17-2022 04:24 AM

Hi,

Thanks much for your reply. But the above one  will give result by comparing URN with all fields, but my requirement is, number of controlflowid for each URN and number of requestid for each controlflowid and number of spanid for each requestid  as tree view

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 04:28 AM

Like this?

| stats count by URN ControlFlowID RequestID SpanID
0 Karma
Reply

kalaiyarasi
Loves-to-Learn Lots
‎06-17-2022 06:40 AM

we need to display it as a tree structured view as below

 

kalaiyarasi_0-1655473226995.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 07:20 AM

Standard table visualisations don't work like that.

If you wanted to spend the effort, you could append streamstats to the previous search to copy each field to the row below and clear out the field if it is the same as the previous. The downside to this is that when you try to sort the table by any of the columns, it will lose its integrity. Also, if you wanted to drilldown from any of the cells, you may not be able to access the value from the first column. You might want to reconsider whether what you are asking for is going to be the best way forward.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...