Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display multi date_wday values in single column

ahogbin
Communicator
‎07-13-2015 07:53 PM

Hello,

I am attempting (unsuccessfully so far) to display multiple date_wday values in a single table column.

My search checks for errors over a 7 day period. There are errors that occur on multiple days or may only occur after a certain day (in the case of application updates etc).

My end aim is to produce table that has the error and the days that the error occurred on.
<Search> | table error dayserroroccurredon

++Output++
ERROR XXXXX Mon, Tues, Wed
ERROR XXXXX Wed, Thursday

I have tried various appends but none give me the result I want and simply put each day on a new line

Is there away to combine the day values into a single field that can then be outputted to a table ?

Any help or advise will be greatly appreciated.

Cheers,

Alastair

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-13-2015 08:09 PM

It is hard to be sure without more detail but perhaps this:

... | stats values(date_wday) AS dayserroroccurredon BY error | nomv dayserroroccurredon

The stats command creates a multivalued field and the nomv command merges all the values into a single whitespaced conglomerated value.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-13-2015 08:09 PM

It is hard to be sure without more detail but perhaps this:

... | stats values(date_wday) AS dayserroroccurredon BY error | nomv dayserroroccurredon

The stats command creates a multivalued field and the nomv command merges all the values into a single whitespaced conglomerated value.

0 Karma
Reply
Solved! Jump to solution

ahogbin
Communicator
‎07-13-2015 08:56 PM

Works a treat.. thank you.

Now just to work out how to get the count of the number of times the error occurred.

0 Karma
Reply
Solved! Jump to solution

ahogbin
Communicator
‎07-13-2015 09:08 PM

Thank you... I ended up adding
stats values(date_wday) AS dayserroroccurredon count(errortype) AS errCount BY errortype but I prefer your way as it is neater and easier to understand.
Cheers and thanks again for your help

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-13-2015 08:58 PM

Like this:

... | stats count values(date_wday) AS dayserroroccurredon BY error | nomv dayserroroccurredon
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...