Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Turning tables into a matrix form

cindygibbs_08
Communicator
‎06-03-2021 06:42 AM

I hope you guys are doing very well,

I have a list of a series of task that are executed in an hourly fashion from Monday to Thursdays but the table that I get from my Splunk code shows the data as follows:

Time_Framenum_task
Mon 14-1648
Tue   14-1614
Wed 14-1669
Thu  14-164

 

Note: This table extends from 9-10 until 22-13 hours for each day (Mon-Thu)

but I would like this information to be shown as the following:

Day /Time Frame14-1616-18
Mon4814
Tue1425
Wed6914
Thu405

 

Which will show the Days in a single column and each Time_Frame in their respective single columns the intercepting cells will represents the num_task for the corresponding  day and Time_frame,

I know the first step will be to split the strings "Mon 14-16" into Mon and time but I am getting lost as to how to make the, follow my desired matrix arrange. Thank you so much to everyone who can help me out.

 

Kindly,

 

Cindy

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-03-2021 07:10 AM

Hi @cindygibbs_08,

you can split the field "Time_Frame" into 2 fields using a regex like the following,

| rex "^(?<day>\w+)\s+(?<time>\d+-\d+)"

that you can test at https://regex101.com/r/KyiPaD/1

Then you can use the chart command to create your table.

There's only one problem, the order of the week days: that you can solve adding a number to the weekday before the chart command that you can remove after the chart command, something like this:

your_search
| rex "^(?<day>\w+)\s+(?<time>\d+-\d+)"
| eval day=case(day="Mon","1-".day,day="Tue","2-".day,day="Wed","3-".day,day="Thu","4-".day,day="Fri","5-".day)
| chart values(num_task) AS num_task OVER day BY time
| eval day=case(day="1-Mon","Mon",day="2-Tue","Tue",day="3-Wed","Wed",day="4-Thu","Thu",day="5-Fri","Fri")

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-03-2021 07:10 AM

Hi @cindygibbs_08,

you can split the field "Time_Frame" into 2 fields using a regex like the following,

| rex "^(?<day>\w+)\s+(?<time>\d+-\d+)"

that you can test at https://regex101.com/r/KyiPaD/1

Then you can use the chart command to create your table.

There's only one problem, the order of the week days: that you can solve adding a number to the weekday before the chart command that you can remove after the chart command, something like this:

your_search
| rex "^(?<day>\w+)\s+(?<time>\d+-\d+)"
| eval day=case(day="Mon","1-".day,day="Tue","2-".day,day="Wed","3-".day,day="Thu","4-".day,day="Fri","5-".day)
| chart values(num_task) AS num_task OVER day BY time
| eval day=case(day="1-Mon","Mon",day="2-Tue","Tue",day="3-Wed","Wed",day="4-Thu","Thu",day="5-Fri","Fri")

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...