This question is related my previous post.
https://community.splunk.com/t5/Splunk-Search/XML-field-Extraction/m-p/571944#M199301
My source have a date which i'll be extracting using rex command. I want my table data to be shown on those respective dates. I have used xyseries, but i cannot add other fields to the table.
source="weekly_report_20211025_160957*.xml" |rex field=source "weekly_report_(?<Date>\w.*)\.xml"|....
| table suitename name "Time taken(s)" status | xyseries name Date status
My final table should contain suitename , name, "Time taken(s)", status(under the Date filed).
Is there any method to append all these table fields after applying xyseries?
Just add any other field that you want to add to output, to eval (to merge), rex (to extract is again) and table command (to display). Like this:
source="weekly_report_20211025_160957*.xml" |rex field=source "weekly_report_(?<Date>\w.*)\.xml"|...
| table suitename name "Time taken(s)" status Date
| eval temp=suitename."###".name.'Time taken(s)'
| xyseries temp Date status
| rex field=temp "(?<suitename>[^\#]+)###(?<name>[^\#]+)###(?<Time>.+)" | fields - temp
| table suitename name Time *
| rename Time as "Time taken(s)"
Just add any other field that you want to add to output, to eval (to merge), rex (to extract is again) and table command (to display). Like this:
source="weekly_report_20211025_160957*.xml" |rex field=source "weekly_report_(?<Date>\w.*)\.xml"|...
| table suitename name "Time taken(s)" status Date
| eval temp=suitename."###".name.'Time taken(s)'
| xyseries temp Date status
| rex field=temp "(?<suitename>[^\#]+)###(?<name>[^\#]+)###(?<Time>.+)" | fields - temp
| table suitename name Time *
| rename Time as "Time taken(s)"
yes.. I got them.. Once again thank you so much for the help!!
Try like this:
source="weekly_report_20211025_160957*.xml" |rex field=source "weekly_report_(?<Date>\w.*)\.xml"|...
| table suitename name "Time taken(s)" status
| eval temp=suitename."###".name
| xyseries temp Date status
| rex field=temp "(?<suitename>[^\#]+)###(?<name>.+)" | fields - temp
| table suitename name *
Wow!! Thank you.. It is working perfectly...
Is there any way to add one field, ie "Time taken(s)"?