Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create Search, table and drilldown with events multivalues

Carolina
Engager
‎06-11-2018 11:41 AM

Hi,

I have this log with the following structure.

12/06/2018 08.00:58.330 [[ACTIVE] Executetheread: '4' for queue. processENSESION
num de inst participantes ---> 25
fecha de operacion ---> 20180612
claves ---> 301,800,390,831,9,28,289,948,984,829,
nombre ---> prueba01,prueba02, prueba03, prueba04,prueba05,prueba06,prueba07,prueba08,prueba09,prueba10
estado ---> R,R,R,R,R,R,R,R,N,R

12/06/2018 08.00:47.330 [[ACTIVE] Executetheread: '4' for queue. processENSESION
num de inst participantes ---> 25
fecha de operacion ---> 20180612
claves ---> 301,800,390,831,9,28,289,948,984,829,
nombre ---> prueba01,prueba02, prueba03, prueba04,prueba05,prueba06,prueba07,prueba08,prueba09,prueba10
estado ---> R,R,R,R,R,R,R,R,R,R

I need create a dashboard with the following design
Filter and count by estado R or N but only the last event:
alt text

Andd when you click on the panel display a table with only the data (claves, nombre, estado) according to the previous filter.
Example:

alt text

I have the following query with splunk 

index=open source=appskp 
| head 1
| mvexpand claves
| mvexpand nombre
| mvexpand estado
| makemv delim="," claves
| makemv delim="," nombre
| makemv delim="," estado
| table claves nombre estado
| eval filter=mvfilter(estado="R")
| table claves nombre estado

Regards.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-12-2018 03:50 PM

@Carolina - Please feel free to repeat a section of your question in Spanish. There are many Spanish speakers in the Splunk community, and we'd be happy to help. I'm going to give my advice in English, since half of it has to be in English anyway due to the keywords involved.

When you say "only the last event", I assume that you have accomplished that requirement with the head 1 in your code.

Here are the steps to make your desired dash -

1) Use your above query as a "base" query to create the underlying table for each of your two panels. Please verify that the below code produces a table with both R and N estado values in it. 

 index=open source=appskp 
 | head 1

 | rename COMMENT as "turn the individual fields into multivalue fields"
 | makemv delim="," claves
 | makemv delim="," nombre
 | makemv delim="," estado

 | rename COMMENT as "zip them together into a single field, then split up the records"
 | eval myzip=mvzip(mvzip(claves,nombre,"!!!!"),estado,"!!!!")
 | mvexpand myzip

 | rename COMMENT as "unpack the fields again and make a table"
 | rex field=myzip "(?<claves>\d+)!!!!(?<nombre>.+?)!!!!(?<estado>.+?))
 | table claves nombre estado

2) For each of your gauges, use the base query, and a postprocessing filter for the received - or -not-received state.

 | where estado="R"

or

 | where estado="N"

3) Create two more panels, one to show the data table for each. Use the depends= keyword with a distinct token for each one, to hide them until they are desired.

4) Set the click for each of your shown gauges to set the depends token for its own table and to unset the depends token for the other table.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-12-2018 03:50 PM

@Carolina - Please feel free to repeat a section of your question in Spanish. There are many Spanish speakers in the Splunk community, and we'd be happy to help. I'm going to give my advice in English, since half of it has to be in English anyway due to the keywords involved.

When you say "only the last event", I assume that you have accomplished that requirement with the head 1 in your code.

Here are the steps to make your desired dash -

1) Use your above query as a "base" query to create the underlying table for each of your two panels. Please verify that the below code produces a table with both R and N estado values in it. 

 index=open source=appskp 
 | head 1

 | rename COMMENT as "turn the individual fields into multivalue fields"
 | makemv delim="," claves
 | makemv delim="," nombre
 | makemv delim="," estado

 | rename COMMENT as "zip them together into a single field, then split up the records"
 | eval myzip=mvzip(mvzip(claves,nombre,"!!!!"),estado,"!!!!")
 | mvexpand myzip

 | rename COMMENT as "unpack the fields again and make a table"
 | rex field=myzip "(?<claves>\d+)!!!!(?<nombre>.+?)!!!!(?<estado>.+?))
 | table claves nombre estado

2) For each of your gauges, use the base query, and a postprocessing filter for the received - or -not-received state.

 | where estado="R"

or

 | where estado="N"

3) Create two more panels, one to show the data table for each. Use the depends= keyword with a distinct token for each one, to hide them until they are desired.

4) Set the click for each of your shown gauges to set the depends token for its own table and to unset the depends token for the other table.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-12-2018 09:28 AM

@Carolina does the raw data appear same way as that in your question? Or is the data actually multivalue?

Following is a run anywhere search based on your sample data

| makeresults
| eval _raw="12/06/2018 08.00:47.330 [[ACTIVE] Executetheread: '4' for queue. processENSESION
num de inst participantes ---> 25
fecha de operacion ---> 20180612
claves ---> 301,800,390,831,9,28,289,948,984,829,
nombre ---> prueba01,prueba02, prueba03, prueba04,prueba05,prueba06,prueba07,prueba08,prueba09,prueba10
estado ---> R,R,R,R,R,R,R,R,R,R"
| rex "claves ---> (?<claves>.*),\s+nombre ---> (?<nombre>.*)\s+estado ---> (?<estado>.*)"
| fields - _time _raw
| head 1
| makemv claves delim=","
| makemv nombre delim=","
| makemv estado delim=","
| eval data=mvzip(claves,mvzip(nombre,estado))
| fields data
| mvexpand data
| makemv data delim=","
| eval claves=mvindex(data,0),nombre=mvindex(data,1),estado=mvindex(data,2)
| table claves nombre estado
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Carolina
Engager
‎06-12-2018 09:31 AM

@niketnilay the data is multivalue in log.
Actually I have regex for the fields claves, nombre and estado

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎06-12-2018 01:58 AM

we are not able to understand clearly.
Please provide the output format for better understanding

0 Karma
Reply
Solved! Jump to solution

Carolina
Engager
‎06-12-2018 08:10 AM

Hi,
ok thank you. I update the output.
Regards.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...