Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split data based on a field

angersleek
Path Finder
‎04-15-2020 12:41 AM

I have the following query: 

ns=name* TEST_DECISION
PRODUCT IN (PRODUCT1)
| timechart span=1d limit=0 count by TEST_DECISION
| eval total= VALID+INVALID
| eval VALID=round(VALID/total,4)*100
| eval INVALID=round(INVALID/total,4)*100
| fields - total

The output is as follows: 

_time         FAILED VALID INVALID OTHERS
2020-04-14  21  90.97   9.03    727

I have multiple products and that data is getting merged here thus I end up doing it 1 product at a time as seen in the query above (2nd line -> PRODUCT IN (PRODUCT1) ).

I have about 15 products. Is there a way I could modify the above query to achieve the following?
Doubt it but if relevant, products will be named like (CH1276578, FH7623138, DD81236812) .

_time         FAILED VALID INVALID OTHERS. Product
2020-04-14  21  90.97   9.03    727. Product 1
2020-04-14  11  80.85   19.15   700. Product 2
2020-04-14  09  78.97   21.03   712. Product 3
...

Please advice. Thank you.

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎04-15-2020 02:19 AM 
ns=name* TEST_DECISION
PRODUCT IN (PRODUCT1)
| bin span=1d _time
| stats count by _time TEST_DECISION PRODUCT
| eval time=_time.PRODUCT
| fields - PRODUCT _time
| xyseries time TEST_DECISION count
| eval total= VALID+INVALID
| eval VALID=round(VALID/total,4)*100
| eval INVALID=round(INVALID/total,4)*100
| rex field=time "(?<_time>\d+)(?<PRODUCT>.*)"
| fields - total
0 Karma
Reply

angersleek
Path Finder
‎04-15-2020 03:35 AM

Thank you. This does split it up but I lose all my evals I was calculating % for VALID INVALID above which worked before.

I end up with only 3 columns now.

TEST_DECISION PRODUCT. count

0 Karma
Reply

to4kawa
Ultra Champion
‎04-15-2020 03:55 AM

I can't see your results. what's result values?
but, I modify answer.

0 Karma
Reply

harishalipaka
Motivator
‎04-15-2020 01:56 AM

@angersleek

try this 

ns=name* TEST_DECISION
 PRODUCT IN (PRODUCT1)
 | timechart span=1d limit=0 count by TEST_DECISION PRODUCT
 | eval total= VALID+INVALID
 | eval VALID=round(VALID/total,4)*100
 | eval INVALID=round(INVALID/total,4)*100
 | fields - total
Thanks
Harish
0 Karma
Reply

angersleek
Path Finder
‎04-15-2020 03:36 AM

Think issue with syntax, can't do TEST_DECISION PRODUCT (2 variables) here it seems.

0 Karma
Reply

harishalipaka
Motivator
‎04-15-2020 01:16 AM

hi @angersleek

try like this |where Product in ["CH1276578"," FH7623138","DD81236812"]

Thanks
Harish
0 Karma
Reply

angersleek
Path Finder
‎04-15-2020 01:23 AM

I could but that will not split it up. That would just give same results where all data for all products is merged. I want them to show individually for each product similar to the last table I posted above.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top