Solved: Re: Data spliting

prathapkcsc · ‎04-05-2017

i have a data like this
ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47
like 10 rows
i want to store the above data in table format and i need to generate the visualization like for particular ip address,how much memory consuming .

when i am giving
source=my base search | table ip,value

after executing this,its giving me only 1st row.How to get the remaining all
Can anyone help me how to crack this
Thank you

DalJeanis · ‎04-05-2017

This just generates some test records with your sample data. Now, what did you want your visualization to look like?

| makeresults 
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"
| rex field=allmydata max_match=0 "(?<thedata>ip = ([\d\.]+) , value = (\d+))"
| fields thedata
| mvexpand thedata
| rex field=thedata max_match=0 "ip = (?<ip>[\d\.]+) , value = (?<value>\d+)"
| table ip value

View solution in original post

DalJeanis · ‎04-05-2017

This just generates some test records with your sample data. Now, what did you want your visualization to look like?

| makeresults 
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"
| rex field=allmydata max_match=0 "(?<thedata>ip = ([\d\.]+) , value = (\d+))"
| fields thedata
| mvexpand thedata
| rex field=thedata max_match=0 "ip = (?<ip>[\d\.]+) , value = (?<value>\d+)"
| table ip value

prathapkcsc · ‎04-05-2017

The value

DalJeanis · ‎04-05-2017

 | chart sum(value) as value by ip

prathapkcsc · ‎04-05-2017

The value field comes from the text dynamically...the value field is the free memory of the datanode..that gives different values every time..but in your solution you hardcoded value field..

prathapkcsc · ‎04-05-2017

I wrote a script that checks how much cpu,memory consuming the datanodes..that details would store in one text file..
I have 10 datanodes,so for each datanode one different value will come dynamically.for that i need to store in table and have to generate one graph which shows the freee memory status of the corresponding node...

DalJeanis · ‎04-05-2017

Replace lines 1-2 with your actual data. Use the same format as your sample.

ip = xxx.xxx.xxx.xxx , value = xxxx

prathapkcsc · ‎04-05-2017

ip = xxx.xxx.xxx.xxx , value = xxxx

Can i give same above in eval command??

prathapkcsc · ‎04-05-2017

Thank you somuch DalJeanis..It works absolutely fine...Awesome 😄
kudos to you

DalJeanis · ‎04-06-2017

You are very welcome.

I would expect that you would want to also track this over time. If you'd like to do that, then post a new question and the community can give you suggestions about how to do that. (Basically, you'd want to add a date/time stamp to the data, break the data up into individual records, and output that either to a csv or a summary index so that you could read it in later without going to the individual fiels.)

prathapkcsc · ‎04-08-2017

Hey in eval expression we are giving the values manually right?
My requirement is that it has pick all the values dynamically.
Is there any way to do it that?

prathapkcsc · ‎04-08-2017

eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

i need to avoid these thing.Splunk has to pick all the rows in the event automatically..

Can you tell me

DalJeanis · ‎04-05-2017

Is the above data all in a single record, or is it in individual records?

prathapkcsc · ‎04-05-2017

It is a text with 10 rows of data coming from the linux script.Here the value changes dynamically.

DalJeanis · ‎04-05-2017

Okay, the sample code, from line 6 on, will handle pulling the data out of any event where it is present as multiple data lines such as the sample data in lines 2-5. If the _time field is present on the event and you are looking for CPU usage across time, then be sure to include _time in the table command in line 10.

prathapkcsc · ‎04-05-2017

I wrote a script that checks how much cpu,memory consuming the datanodes..that details would store in one text file..
I have 10 datanodes,so for each datanode one different value will come dynamically.for that i need to store in table and have to generate one graph which shows the freee memory status of the corresponding node...

Data spliting

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!