Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split data based on a field

angersleek
Path Finder
‎04-15-2020 12:41 AM

I have the following query: 

ns=name* TEST_DECISION
PRODUCT IN (PRODUCT1)
| timechart span=1d limit=0 count by TEST_DECISION
| eval total= VALID+INVALID
| eval VALID=round(VALID/total,4)*100
| eval INVALID=round(INVALID/total,4)*100
| fields - total

The output is as follows: 

_time         FAILED VALID INVALID OTHERS
2020-04-14  21  90.97   9.03    727

I have multiple products and that data is getting merged here thus I end up doing it 1 product at a time as seen in the query above (2nd line -> PRODUCT IN (PRODUCT1) ).

I have about 15 products. Is there a way I could modify the above query to achieve the following?
Doubt it but if relevant, products will be named like (CH1276578, FH7623138, DD81236812) .

_time         FAILED VALID INVALID OTHERS. Product
2020-04-14  21  90.97   9.03    727. Product 1
2020-04-14  11  80.85   19.15   700. Product 2
2020-04-14  09  78.97   21.03   712. Product 3
...

Please advice. Thank you.

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎04-15-2020 02:19 AM 
ns=name* TEST_DECISION
PRODUCT IN (PRODUCT1)
| bin span=1d _time
| stats count by _time TEST_DECISION PRODUCT
| eval time=_time.PRODUCT
| fields - PRODUCT _time
| xyseries time TEST_DECISION count
| eval total= VALID+INVALID
| eval VALID=round(VALID/total,4)*100
| eval INVALID=round(INVALID/total,4)*100
| rex field=time "(?<_time>\d+)(?<PRODUCT>.*)"
| fields - total
0 Karma
Reply

angersleek
Path Finder
‎04-15-2020 03:35 AM

Thank you. This does split it up but I lose all my evals I was calculating % for VALID INVALID above which worked before.

I end up with only 3 columns now.

TEST_DECISION PRODUCT. count

0 Karma
Reply

to4kawa
Ultra Champion
‎04-15-2020 03:55 AM

I can't see your results. what's result values?
but, I modify answer.

0 Karma
Reply

harishalipaka
Motivator
‎04-15-2020 01:56 AM

@angersleek

try this 

ns=name* TEST_DECISION
 PRODUCT IN (PRODUCT1)
 | timechart span=1d limit=0 count by TEST_DECISION PRODUCT
 | eval total= VALID+INVALID
 | eval VALID=round(VALID/total,4)*100
 | eval INVALID=round(INVALID/total,4)*100
 | fields - total
Thanks
Harish
0 Karma
Reply

angersleek
Path Finder
‎04-15-2020 03:36 AM

Think issue with syntax, can't do TEST_DECISION PRODUCT (2 variables) here it seems.

0 Karma
Reply

harishalipaka
Motivator
‎04-15-2020 01:16 AM

hi @angersleek

try like this |where Product in ["CH1276578"," FH7623138","DD81236812"]

Thanks
Harish
0 Karma
Reply

angersleek
Path Finder
‎04-15-2020 01:23 AM

I could but that will not split it up. That would just give same results where all data for all products is merged. I want them to show individually for each product similar to the last table I posted above.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...