Dashboards & Visualizations

How to merge multivalue value field in a single value

kalaiyarasi
Loves-to-Learn

I have field called URN, ControlFlowID, RequestID and SpanID

Requirement is to get data for each URN,how many controlflowid and for each controlflowID, how many requestID and for each requestID how many SpanID needs to populate data in a table view by merging multivalue in a single row. can anyone help me on this.

Eg:

URN    ControlFlowID     RequestID      SpanID

URN1    CTRLFLOW1       REQ1               SpanID1

URN1     CTRLFLOW1       REQ2             SpanID2

URN1      CTRLFLOW1     REQ3               SpanID3

Requirement as below:

URN    ControlFlowID     RequestID      SpanID

                CTRLFLOW1        REQ1              SpanID1

URN1                                       REQ2               SpanID2

                 CTRLFLOW2        REQ3                SpanID3

Labels (1)
0 Karma

kalaiyarasi
Loves-to-Learn

okay, Thanks for the update

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you mean something like this

| stats values(ControlFlowID) as ControlFlowID values(RequestID) as RequestID values(SpanID) as SpanID by URN
0 Karma

kalaiyarasi
Loves-to-Learn

Hi,

Thanks much for your reply. But the above one  will give result by comparing URN with all fields, but my requirement is, number of controlflowid for each URN and number of requestid for each controlflowid and number of spanid for each requestid  as tree view

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Like this?

| stats count by URN ControlFlowID RequestID SpanID
0 Karma

kalaiyarasi
Loves-to-Learn

we need to display it as a tree structured view as below

 

kalaiyarasi_0-1655473226995.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Standard table visualisations don't work like that.

If you wanted to spend the effort, you could append streamstats to the previous search to copy each field to the row below and clear out the field if it is the same as the previous. The downside to this is that when you try to sort the table by any of the columns, it will lose its integrity. Also, if you wanted to drilldown from any of the cells, you may not be able to access the value from the first column. You might want to reconsider whether what you are asking for is going to be the best way forward.

Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...