Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

A table with fields as lines

timmalos
Communicator
‎09-13-2013 07:13 AM

We got some events ,with an extract we got 

Event 1 : Field1=VALUE11,Field2=VALUE12,Field3=VALUE13,... 
Event 2 : Field1=VALUE21,Field2=VALUE22,Field3=VALUE23,... 
Event 3 : Field1=VALUE31,Field2=VALUE32,Field3=VALUE33,... 
etc...

What we would like is obtain a table like this: 

Metric    |     Field1        |      Field 2      |    Field 3 ... 
----------------------------------------------------------------------------------
      Avg | avg(Field1)       | avg(Field2)       | avg(Field3) ... 
   Median | median(Field1)    | median(Field2)    | median(Field3) ... 
Sparkline | sparkline(Field1) | sparkline(Field2) | sparkline(Field3) ...

What the best way to do that?
Seems impossible to find an easy way.
We tried in this direction : 

| eval metric=mvappend("avg","median") | mvexpand metric | eval value=case(metric=="swFCPortRxC3Frames",swFCPortRxC3Frames,metric=="swFCPortRxC2Frames",swFCPortRxC2Frames) | chart latest(value) by metric swFCPortIndex

Thx for your help !

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2013 12:00 PM

Lots of metrics in the same event require you to know what the field names are if you're going to perform stats on them. The workaround is to use untable. Whenever you think "How the heck .." - untable is usually the answer. xyseries is its inverse.

I have data similar to yours. every 2 minute I have a feed of disk utilization that looks like :

Event 1: sda=0.0;sda1=0.0;sda2=0.0
Event 2: sda=10.3;sda1=1.0;sda2=9.3

Here's the search that only hits the index once, and works for arbitrarily named fields :
The 1st "table" is where you include / filter the fields you are interested in - this allows far more flexibility than using wildcards in the stats commands.

initial search
| table _time sd*
| untable _time field value
| eval metric="raw"
| appendpipe [ | stats avg(value) as data by field | eval metric="Average" ]
| appendpipe [ | stats median(value) as data by field | eval metric="Median" ]
| appendpipe [ | stats sparkline(avg(value)) as data by field | eval metric="Sparkline" ]
| where metric !="raw"
| xyseries metric field data

result :

alt text

You can save yourself a lot of headache by transposing the columns and rows

initial search
| table _time sd*
| untable _time field value
| chart avg(value) as Average median(value) as Median sparkline(avg(value)) as sparkline by field

alt text

View solution in original post

Reply
Solved! Jump to solution

timmalos
Communicator
‎09-16-2013 12:37 AM

You 're right, but i needed the untable() function that i didn't know to do that 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2013 12:00 PM

Lots of metrics in the same event require you to know what the field names are if you're going to perform stats on them. The workaround is to use untable. Whenever you think "How the heck .." - untable is usually the answer. xyseries is its inverse.

I have data similar to yours. every 2 minute I have a feed of disk utilization that looks like :

Event 1: sda=0.0;sda1=0.0;sda2=0.0
Event 2: sda=10.3;sda1=1.0;sda2=9.3

Here's the search that only hits the index once, and works for arbitrarily named fields :
The 1st "table" is where you include / filter the fields you are interested in - this allows far more flexibility than using wildcards in the stats commands.

initial search
| table _time sd*
| untable _time field value
| eval metric="raw"
| appendpipe [ | stats avg(value) as data by field | eval metric="Average" ]
| appendpipe [ | stats median(value) as data by field | eval metric="Median" ]
| appendpipe [ | stats sparkline(avg(value)) as data by field | eval metric="Sparkline" ]
| where metric !="raw"
| xyseries metric field data

result :

alt text

You can save yourself a lot of headache by transposing the columns and rows

initial search
| table _time sd*
| untable _time field value
| chart avg(value) as Average median(value) as Median sparkline(avg(value)) as sparkline by field

alt text

Reply
Solved! Jump to solution

lguinn2
Legend
‎09-13-2013 09:32 AM

I agree with @zeroactive. But this may do what you want

yoursearchhere
| stats avg(Field*) as Field*
| eval Metric="Average"
| append [ search yoursearchhere
   | stats median(Field*) as Field*
   | eval Metric="Median" ]
| append [ search yoursearchhere
   | stats sparkline(count(Field*)) as Field*
   | eval Metric="Sparkline" ]
| table Metric Field*
0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎09-13-2013 11:11 AM

The sparklines will be the count of the samples, and wont plot the actual values.

0 Karma
Reply
Solved! Jump to solution

zeroactive
Path Finder
‎09-13-2013 07:44 AM

Odd way to look at data... Why not do the table by Field ID, with columns for Avg, Median, and Sparkline?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...