Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: xyseries removes field line break
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I have the following search where I create two fields which has a line break (Topic and value):
index="example" sourcetype="trial"
| stats avg(availability) as value, dc(name) as Number
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number) | makemv delim=":" value
| eval Topic="C" + ":" + "Serviceplans" | makemv delim=":" Topic
| eval Time="10/2019"
| xyseries Topic Time value
When I do this xyseries will remove the linebreak from field Topic but won't do the same for value. I wanted that both fields keep the line break.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are some VERY long-standing subtle bugs related to makemv and similar commands when using delim= where splunk "remembers" things that it should not. This is unequivocally a bug. Here is a search that proves that when you remove the makemv, that it works:
| makeresults
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number)
| makemv delim=":" value
| eval Topic="C
Serviceplans"
| eval Time="10/2019"
| xyseries Topic Time value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are some VERY long-standing subtle bugs related to makemv and similar commands when using delim= where splunk "remembers" things that it should not. This is unequivocally a bug. Here is a search that proves that when you remove the makemv, that it works:
| makeresults
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number)
| makemv delim=":" value
| eval Topic="C
Serviceplans"
| eval Time="10/2019"
| xyseries Topic Time value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @woodcock, I just separated the string in different rows! Funny bug though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="value,Number
2.5,4"
| multikv
| eval value = tostring(value) + ":" + tostring(Number) + " of " + tostring(Number)
| makemv delim=":" value
| eval Topic="C" + ":" + "Serviceplans"
| makemv delim=":" Topic
| eval Time="10/2019"
`comment("this is sample data")`
| eval zipped=mvzip(Topic,value)
| mvexpand zipped
| streamstats count
| eval Topic=mvindex(Topic,count -1), value=mvindex(value,count -1)
| table Time Topic value
| xyseries Topic Time value
Hi, @vini98limasilva
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @to4kawa,
Almost, it separated the values in different rows which wasn't exactly what I needed. Thanks for the answer anyway 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
