Hello,
I am pretty new to splunk, and just feel lost at times. I have a question that i cant seem to find an answer for.
I have data that looks like
so the above is like 1 row and then there are multiple rows with the same type of list of entries for timestamp and total
now I want to turn each row into a line on a line chart where the x-axis is the timestamp and the y-axis is the "Total". sort of like overlapping line charts based on all the rows.
anyone have ideas
| eval zipped=mvzip(TimeStamp,Total,"!")
| mvexpand zipped
| eval TimeStamp=mvindex(split(zipped,"!"),0)
| eval Total=mvindex(split(zipped,"!"),1)
| fields - zipped
| eval zipped=mvzip(TimeStamp,Total,"!")
| mvexpand zipped
| eval TimeStamp=mvindex(split(zipped,"!"),0)
| eval Total=mvindex(split(zipped,"!"),1)
| fields - zipped
you are a beautiful soul
Great solution, just noticed that my solution has the issues that I'm dedupping the same results so this will lead to an incorrect total value
Hello, So i have tried that the issue is tho and then i get a table that looks like this
so then i apply same thing to the Total columns and i get a bunch of duplicate rows, is there a way to delete all duplicate rows at that point?
Hi, have you tried to expand the Multiple Value field with
| mvexand TimeStamp?
Hello, So i have tried that the issue is tho and then i get a table that looks like this
so then i apply same thing to the Total columns and i get a bunch of duplicate rows, is there a way to delete all duplicate rows at that point?
yes, try
| dedup TimeStamp,Total