Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split data based on a field

angersleek
Path Finder
‎04-15-2020 12:41 AM

I have the following query: 

ns=name* TEST_DECISION
PRODUCT IN (PRODUCT1)
| timechart span=1d limit=0 count by TEST_DECISION
| eval total= VALID+INVALID
| eval VALID=round(VALID/total,4)*100
| eval INVALID=round(INVALID/total,4)*100
| fields - total

The output is as follows: 

_time         FAILED VALID INVALID OTHERS
2020-04-14  21  90.97   9.03    727

I have multiple products and that data is getting merged here thus I end up doing it 1 product at a time as seen in the query above (2nd line -> PRODUCT IN (PRODUCT1) ).

I have about 15 products. Is there a way I could modify the above query to achieve the following?
Doubt it but if relevant, products will be named like (CH1276578, FH7623138, DD81236812) .

_time         FAILED VALID INVALID OTHERS. Product
2020-04-14  21  90.97   9.03    727. Product 1
2020-04-14  11  80.85   19.15   700. Product 2
2020-04-14  09  78.97   21.03   712. Product 3
...

Please advice. Thank you.

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎04-15-2020 02:19 AM 
ns=name* TEST_DECISION
PRODUCT IN (PRODUCT1)
| bin span=1d _time
| stats count by _time TEST_DECISION PRODUCT
| eval time=_time.PRODUCT
| fields - PRODUCT _time
| xyseries time TEST_DECISION count
| eval total= VALID+INVALID
| eval VALID=round(VALID/total,4)*100
| eval INVALID=round(INVALID/total,4)*100
| rex field=time "(?<_time>\d+)(?<PRODUCT>.*)"
| fields - total
0 Karma
Reply

angersleek
Path Finder
‎04-15-2020 03:35 AM

Thank you. This does split it up but I lose all my evals I was calculating % for VALID INVALID above which worked before.

I end up with only 3 columns now.

TEST_DECISION PRODUCT. count

0 Karma
Reply

to4kawa
Ultra Champion
‎04-15-2020 03:55 AM

I can't see your results. what's result values?
but, I modify answer.

0 Karma
Reply

harishalipaka
Motivator
‎04-15-2020 01:56 AM

@angersleek

try this 

ns=name* TEST_DECISION
 PRODUCT IN (PRODUCT1)
 | timechart span=1d limit=0 count by TEST_DECISION PRODUCT
 | eval total= VALID+INVALID
 | eval VALID=round(VALID/total,4)*100
 | eval INVALID=round(INVALID/total,4)*100
 | fields - total
Thanks
Harish
0 Karma
Reply

angersleek
Path Finder
‎04-15-2020 03:36 AM

Think issue with syntax, can't do TEST_DECISION PRODUCT (2 variables) here it seems.

0 Karma
Reply

harishalipaka
Motivator
‎04-15-2020 01:16 AM

hi @angersleek

try like this |where Product in ["CH1276578"," FH7623138","DD81236812"]

Thanks
Harish
0 Karma
Reply

angersleek
Path Finder
‎04-15-2020 01:23 AM

I could but that will not split it up. That would just give same results where all data for all products is merged. I want them to show individually for each product similar to the last table I posted above.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top