Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to split a single line event into multiple...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
romaindelmotte
Explorer
11-26-2015
09:27 AM
Hi,
I have those kind of events indexed:
11/26/15 15:05:11.000 retrievePending=0 mergePending=1823 sendPending=43 resendPending=2
The numbers above are the count of pending tasks in different queues of an application.
Unfortunately, I cannot change the way the logs are written down in the log files, and wished it was something like this:
11/26/15 15:05:11.000 queue=retrieve pending=0
11/26/15 15:05:11.000 queue=merge pending=1823
11/26/15 15:05:11.000 queue=send pending=43
11/26/15 15:05:11.000 queue=resend pending=2
So, is there a way - at search time - to split my data into multiple events so I can use a by clause like below?
index=main sourcetype=queues host=web01 | timechart avg(pending) by queue
I've been looking for some time now, even playing with multi-value commands like mvzip, mkexpand, etc., but can't crack this one.
Any help would be appreciated.
Thanks,
Romain
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
romaindelmotte
Explorer
11-26-2015
10:11 AM
Just find a way myself, actually.
index=main sourcetype=queues host=web01
| eval fields=mvappend("retrieve:".retrievePending,"merge:".mergePending,"send:".sendPending,"resend:".resendPending)
| mvexpand fields
| makemv delim=":" fields
| eval queue=mvindex(fields,0)
| eval count=mvindex(fields,1)
| eval ratio=round((count/500)*100, 2)
| timechart avg(ratio) by queue
Any way to make that a bit more efficient, though?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
romaindelmotte
Explorer
11-26-2015
10:11 AM
Just find a way myself, actually.
index=main sourcetype=queues host=web01
| eval fields=mvappend("retrieve:".retrievePending,"merge:".mergePending,"send:".sendPending,"resend:".resendPending)
| mvexpand fields
| makemv delim=":" fields
| eval queue=mvindex(fields,0)
| eval count=mvindex(fields,1)
| eval ratio=round((count/500)*100, 2)
| timechart avg(ratio) by queue
Any way to make that a bit more efficient, though?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fpavlovi
Explorer
02-24-2018
10:37 PM
It helped me as well, thank you for sharing!
Get Updates on the Splunk Community!
Application management with Targeted Application Install for Victoria Experience
Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...
Index This | What goes up and never comes down?
January 2026 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination
The Power of Two: Splunk + Cisco at "Ludicrous Scale"
You know Splunk. You know Cisco. But have you seen ...
