Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display multi date_wday values in single column

ahogbin
Communicator
‎07-13-2015 07:53 PM

Hello,

I am attempting (unsuccessfully so far) to display multiple date_wday values in a single table column.

My search checks for errors over a 7 day period. There are errors that occur on multiple days or may only occur after a certain day (in the case of application updates etc).

My end aim is to produce table that has the error and the days that the error occurred on.
<Search> | table error dayserroroccurredon

++Output++
ERROR XXXXX Mon, Tues, Wed
ERROR XXXXX Wed, Thursday

I have tried various appends but none give me the result I want and simply put each day on a new line

Is there away to combine the day values into a single field that can then be outputted to a table ?

Any help or advise will be greatly appreciated.

Cheers,

Alastair

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-13-2015 08:09 PM

It is hard to be sure without more detail but perhaps this:

... | stats values(date_wday) AS dayserroroccurredon BY error | nomv dayserroroccurredon

The stats command creates a multivalued field and the nomv command merges all the values into a single whitespaced conglomerated value.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-13-2015 08:09 PM

It is hard to be sure without more detail but perhaps this:

... | stats values(date_wday) AS dayserroroccurredon BY error | nomv dayserroroccurredon

The stats command creates a multivalued field and the nomv command merges all the values into a single whitespaced conglomerated value.

0 Karma
Reply
Solved! Jump to solution

ahogbin
Communicator
‎07-13-2015 08:56 PM

Works a treat.. thank you.

Now just to work out how to get the count of the number of times the error occurred.

0 Karma
Reply
Solved! Jump to solution

ahogbin
Communicator
‎07-13-2015 09:08 PM

Thank you... I ended up adding
stats values(date_wday) AS dayserroroccurredon count(errortype) AS errCount BY errortype but I prefer your way as it is neater and easier to understand.
Cheers and thanks again for your help

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-13-2015 08:58 PM

Like this:

... | stats count values(date_wday) AS dayserroroccurredon BY error | nomv dayserroroccurredon
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...