Need Guidance on Formatting SPL Output for Individ...

sanjai

Hello everyone,

I'm currently working on a Dashboard to visualize Database latency across various machines, and I'm encountering an issue with the Line Chart's SPL (Search Processing Language). The SPL requirement is to retrieve all values of the field ms_per_block grouped by ds_file_path and machine.

Here's my SPL:

index=development sourcetype=custom_function user_action=database_test ds_file=*
| eval ds_file_path=ds_path."\\".ds_file
| search ds_file_path="\\\\swmfs\\orca_db_january_2024\\type\\rwo.ds"
| chart values(ms_per_block) by ds_file_path machine

My result:

My goal is to have the output where each ds_file_path value is listed in individual rows along with the corresponding machine and ms_per_block values in separate rows. I've tried using the table command:

| table ds_file_path, machine, ms_per_block

But this doesn't give me the desired output. The machine name is under a field, whereas I need the machine name to be a separate field, each containing its respective ms_per_block value.

I feel like I'm missing something here. Any guidance on how to achieve this would be greatly appreciated. Thanks in advance!

deepakc

Have a look ta the transpose command, see the examples, this may work for you.

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Transpose

sanjai

Thanks for the reply @deepakc , but that didn't work for me🙂

Need Guidance on Formatting SPL Output for Individual Machine Values

chart

timechart

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users