Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cascade Table View

ylucena
Explorer
‎01-24-2020 01:06 PM

Hello everyone,

I am trying to put a table view together with no luck. The view is rather simple in theory but I cannot render it using SPL. I'd like to display the values of OS BY ip_address BY interface BY host. I would like them to be contained in one another from the most specific to the least (right to left). Using "values() by " won't give me the view I need. Ultimately, I wanted to show all rows for a field but only one for the common parent. I'd like to see something like the below. Sort of like a cascade effect. I'd appreciate any help!! Please, let me know if I am not being clear enough.

Host    |   interface   |   ip_address  |   OS

Host1       eth0            10.110.x.x      linux
                                               windows
                                               OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

            eth1            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

Host2       eth0            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

            eth1            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX

                            10.110.x.x      linux
                                              windows
                                              OSX
0 Karma
Reply

spavin
Path Finder
‎01-31-2020 07:36 PM

Hi @ylucena,

One way to filter out already defined data is to use streamstats combined with evals.

First thing to do is sort the table by Host, interface, ip_address and OS.
Then you can compare each row with the value of the previous row. If they are the same as the previous line, then change the value to "". 

|...previous search here...
| sort Host, interface, ip_address, OS
| streamstats current=false  last(Host) as prev_host, last(interface) as prev_interface, last(ip_address) as prev_ipaddress
| eval Host=if(Host==prev_host,"",Host)
| eval interface=if(Host=="" AND interface == prev_interface,"",interface)
| eval ip_address=if(Host=="" AND interface=="" AND ip_address==prev_ipaddress,"",ip_address)
| table Host, interface, ip_address, OS

Checks:

  • This search checks the Host to see if it's the same as the last one, and if so sets it to "".
  • Next it looks at the Interface - if the host is already set to "" and the interface is the same as the last one, then it sets the interface to "".
  • Finally, a similar check is done for ip_address. As long as the Host and interface are blank, it will set the ip_address to "" if it's the same as the previous one.
  • In all other cases the fields are left as-is.

That results it the following:

alt text

Cheers,
Daniel

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...