Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

xyseries removes field line break

vini98limasilva
Explorer
‎11-28-2019 04:54 AM

Hi, I have the following search where I create two fields which has a line break (Topic and value):

index="example" sourcetype="trial"
| stats avg(availability) as value, dc(name) as Number
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) | makemv delim=":" value
| eval Topic="C" + ":" + "Serviceplans" | makemv delim=":" Topic
| eval Time="10/2019"
| xyseries Topic Time value

When I do this xyseries will remove the linebreak from field Topic but won't do the same for value. I wanted that both fields keep the line break.

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-02-2019 08:44 PM

There are some VERY long-standing subtle bugs related to makemv and similar commands when using delim= where splunk "remembers" things that it should not. This is unequivocally a bug. Here is a search that proves that when you remove the makemv, that it works:

| makeresults 
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) 
| makemv delim=":" value
| eval Topic="C
Serviceplans" 
| eval Time="10/2019"
| xyseries Topic Time value

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-02-2019 08:44 PM

There are some VERY long-standing subtle bugs related to makemv and similar commands when using delim= where splunk "remembers" things that it should not. This is unequivocally a bug. Here is a search that proves that when you remove the makemv, that it works:

| makeresults 
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) 
| makemv delim=":" value
| eval Topic="C
Serviceplans" 
| eval Time="10/2019"
| xyseries Topic Time value

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vini98limasilva
Explorer
‎12-03-2019 04:18 AM

Thanks @woodcock, I just separated the string in different rows! Funny bug though.

Reply
Solved! Jump to solution

to4kawa
SplunkTrust
SplunkTrust
‎11-29-2019 05:06 AM 
| makeresults 
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) 
| makemv delim=":" value
| eval Topic="C" + ":" + "Serviceplans" 
| makemv delim=":" Topic
| eval Time="10/2019"
`comment("this is sample data")`
| eval zipped=mvzip(Topic,value)
| mvexpand zipped
| streamstats count
| eval Topic=mvindex(Topic,count -1), value=mvindex(value,count -1)
| table Time Topic value
| xyseries Topic Time value

Hi, @vini98limasilva
How about this?

0 Karma
Reply
Solved! Jump to solution

vini98limasilva
Explorer
‎12-03-2019 04:16 AM

Hi @to4kawa,

Almost, it separated the values in different rows which wasn't exactly what I needed. Thanks for the answer anyway 🙂

0 Karma
Reply
The Latest From the Splunk Community!