Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

xyseries removes field line break

vini98limasilva
Explorer
‎11-28-2019 04:54 AM

Hi, I have the following search where I create two fields which has a line break (Topic and value):

index="example" sourcetype="trial"
| stats avg(availability) as value, dc(name) as Number
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) | makemv delim=":" value
| eval Topic="C" + ":" + "Serviceplans" | makemv delim=":" Topic
| eval Time="10/2019"
| xyseries Topic Time value

When I do this xyseries will remove the linebreak from field Topic but won't do the same for value. I wanted that both fields keep the line break.

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-02-2019 08:44 PM

There are some VERY long-standing subtle bugs related to makemv and similar commands when using delim= where splunk "remembers" things that it should not. This is unequivocally a bug. Here is a search that proves that when you remove the makemv, that it works:

| makeresults 
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) 
| makemv delim=":" value
| eval Topic="C
Serviceplans" 
| eval Time="10/2019"
| xyseries Topic Time value

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-02-2019 08:44 PM

There are some VERY long-standing subtle bugs related to makemv and similar commands when using delim= where splunk "remembers" things that it should not. This is unequivocally a bug. Here is a search that proves that when you remove the makemv, that it works:

| makeresults 
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) 
| makemv delim=":" value
| eval Topic="C
Serviceplans" 
| eval Time="10/2019"
| xyseries Topic Time value
0 Karma
Reply
Solved! Jump to solution

vini98limasilva
Explorer
‎12-03-2019 04:18 AM

Thanks @woodcock, I just separated the string in different rows! Funny bug though.

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎11-29-2019 05:06 AM 
| makeresults 
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) 
| makemv delim=":" value
| eval Topic="C" + ":" + "Serviceplans" 
| makemv delim=":" Topic
| eval Time="10/2019"
`comment("this is sample data")`
| eval zipped=mvzip(Topic,value)
| mvexpand zipped
| streamstats count
| eval Topic=mvindex(Topic,count -1), value=mvindex(value,count -1)
| table Time Topic value
| xyseries Topic Time value

Hi, @vini98limasilva
How about this?

0 Karma
Reply
Solved! Jump to solution

vini98limasilva
Explorer
‎12-03-2019 04:16 AM

Hi @to4kawa,

Almost, it separated the values in different rows which wasn't exactly what I needed. Thanks for the answer anyway 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...