Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Any way to break this row into two columns?

bhavlik
Path Finder
‎11-26-2019 02:03 PM

I am setting up a dashboard that monitors count of events on a daily basis and a previous 30 day average by customer. I have the search built and each customer has a row of data. For the dashboard, I want to display each customer in its own table. But I am struggling on how to convert the row of data in to the table format I'd like to display.

Here is the row of data after I query a customer from the saved search:
alt text

Here's what I'd like it to look like:
alt text

Any thoughts on how to achieve this?

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-26-2019 03:07 PM

Like this:

| makeresults 
| eval _raw="billing_yest=541 ftg_yest=3816 main_yest=4537 nav_yest=2685 billing_avg=688.37 ftg_avg=5128.5 main_avg=4694 nav_avg=3317.97" 
| kv 
| fields - _* 

|  rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| untable foo index_agg metric
| rex field=index_agg "^(?<index>.*)_(?<agg>.*)$"
| eval {agg} = metric
| rename avg AS Average, yest AS Daily
| selfjoin index
| table index Daily Average

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-26-2019 03:07 PM

Like this:

| makeresults 
| eval _raw="billing_yest=541 ftg_yest=3816 main_yest=4537 nav_yest=2685 billing_avg=688.37 ftg_avg=5128.5 main_avg=4694 nav_avg=3317.97" 
| kv 
| fields - _* 

|  rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| untable foo index_agg metric
| rex field=index_agg "^(?<index>.*)_(?<agg>.*)$"
| eval {agg} = metric
| rename avg AS Average, yest AS Daily
| selfjoin index
| table index Daily Average
0 Karma
Reply
Solved! Jump to solution

bhavlik
Path Finder
‎11-27-2019 08:13 AM

This is great. Thanks! I definitely need to read up on a couple commands you used, specifically untable and the eval { }.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-27-2019 08:21 AM

The untable command is transpose with an anchor or pivot field (in this case foo which does not exist so it transposes everything).

0 Karma
Reply
Solved! Jump to solution

bhavlik
Path Finder
‎11-26-2019 02:33 PM

I was able to get the desired results with the following:

  | loadjob savedsearch="Monitoring" 
    | search propertyId=123456789 
    | fields - propertyId FullHospitalName date phi* *_avg 
    | rename billing_yest as Billing ftg_yest as FTG main_yest as Main nav_yest as Nav 
    | transpose column_name=Index 
    | rename "row 1" as DailyCount 
    | join type=left Index 
        [| loadjob savedsearch="Monitoring" 
        | search propertyId=123456789 
        | fields - propertyId FullHospitalName date phi* *_yest 
        | rename billing_avg as Billing ftg_avg as FTG main_avg as Main nav_avg as Nav 
        | transpose column_name=Index 
        | rename "row 1" as Avg30]
    | eval Status=case(DailyCount=0,"No Events",DailyCount<Avg30*.8,"Warning",true(),"Good")

Is there a better way to do this?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-26-2019 03:07 PM

Do not use join.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...