Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Build table by char position in string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I´ve got this event ->
2020/02/14/16:12:28:872
MachineNumber="K003991_HT"
Pass="FPPPPPPFPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP"
Each position of the pass value gives an pass or fail for one position (1..80 but can also be only 1..45).
For example Pass="FPPF" says ->
Position_1 = Fail
Position_2 = Pass
Position_3 = Pass
Position_4 = Fail
Now I want to buld an table to show which position has how much fails of all events. How to do this?
One possibility could be to use mvexpand and build more events.
For example, build from this ->
2020/02/14/16:12:28:872 MachineNumber="K003991_HT" Pass="FPPF"
that events ->
2020/02/14/16:12:28:872 MachineNumber="K003991_HT" Pass="Fail" Position="1"
2020/02/14/16:12:28:872 MachineNumber="K003991_HT" Pass="Pass" Position="2"
2020/02/14/16:12:28:872 MachineNumber="K003991_HT" Pass="Pass" Position="3"
2020/02/14/16:12:28:872 MachineNumber="K003991_HT" Pass="Fail" Position="4"
...but how is it possible do do this? Or is there an other possibility to buld my table? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="2020/02/14/16:12:28:872
MachineNumber=\"K003991_HT\"
Pass=\"FPPPPPPFPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP\""
| rex "(?<time>^\S+)"
| eval _time=strptime(time,"%Y/%m/%d/%T.%3Q")
| kv
| table _time MachineNumber Pass
| eval Pass=split(Pass,"")
| mvexpand Pass
| streamstats count as Position
Hi, folks
The detail:
-
kvextracts key=value -
split()makes multivalue. -
mvexpandcreates events from multivalue. -
streamstatsmakes count named Position.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="2020/02/14/16:12:28:872
MachineNumber=\"K003991_HT\"
Pass=\"FPPPPPPFPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP\""
| rex "(?<time>^\S+)"
| eval _time=strptime(time,"%Y/%m/%d/%T.%3Q")
| kv
| table _time MachineNumber Pass
| eval Pass=split(Pass,"")
| mvexpand Pass
| streamstats count as Position
Hi, folks
The detail:
-
kvextracts key=value -
split()makes multivalue. -
mvexpandcreates events from multivalue. -
streamstatsmakes count named Position.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works fine! Thanks!
Only change from my side was ->
| streamstats count as Position by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ea7777777 try the following run anywhere example based on the sample data provided. Commands till | fields _raw generate data, you can pipe the command from | eval ... and validate the output with your query.
| makeresults
| eval _raw="2020/02/14/16:12:28:872 MachineNumber=\"K003991_HT\" Pass=\"FPPF\""
| KV
| fields - _raw
| eval Pass=replace(replace(Pass,"(\w{1})","\1,"),",$","")
| makemv Pass delim=","
| mvexpand Pass
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Data Management Digest – May 2026
