Getting Data In

xyseries removes field line break

vini98limasilva
Explorer

Hi, I have the following search where I create two fields which has a line break (Topic and value):

index="example" sourcetype="trial"
| stats avg(availability) as value, dc(name) as Number
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) | makemv delim=":" value
| eval Topic="C" + ":" + "Serviceplans" | makemv delim=":" Topic
| eval Time="10/2019"
| xyseries Topic Time value

When I do this xyseries will remove the linebreak from field Topic but won't do the same for value. I wanted that both fields keep the line break.

Thanks!

1 Solution

woodcock
Esteemed Legend

There are some VERY long-standing subtle bugs related to makemv and similar commands when using delim= where splunk "remembers" things that it should not. This is unequivocally a bug. Here is a search that proves that when you remove the makemv, that it works:

| makeresults 
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) 
| makemv delim=":" value
| eval Topic="C
Serviceplans" 
| eval Time="10/2019"
| xyseries Topic Time value

View solution in original post

0 Karma

woodcock
Esteemed Legend

There are some VERY long-standing subtle bugs related to makemv and similar commands when using delim= where splunk "remembers" things that it should not. This is unequivocally a bug. Here is a search that proves that when you remove the makemv, that it works:

| makeresults 
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) 
| makemv delim=":" value
| eval Topic="C
Serviceplans" 
| eval Time="10/2019"
| xyseries Topic Time value
0 Karma

vini98limasilva
Explorer

Thanks @woodcock, I just separated the string in different rows! Funny bug though.

to4kawa
Ultra Champion
| makeresults 
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) 
| makemv delim=":" value
| eval Topic="C" + ":" + "Serviceplans" 
| makemv delim=":" Topic
| eval Time="10/2019"
`comment("this is sample data")`
| eval zipped=mvzip(Topic,value)
| mvexpand zipped
| streamstats count
| eval Topic=mvindex(Topic,count -1), value=mvindex(value,count -1)
| table Time Topic value
| xyseries Topic Time value

Hi, @vini98limasilva
How about this?

0 Karma

vini98limasilva
Explorer

Hi @to4kawa,

Almost, it separated the values in different rows which wasn't exactly what I needed. Thanks for the answer anyway 🙂

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...