Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract more values for the same item in one row

atelesca
Explorer
‎09-21-2012 06:39 AM

Hello,
I have the following output of a script:
fcs1 0 0 0 1 0 1 0 1 1 1
fcs2 0 0 0 1 1 1 0 0 0 0
fcs3 0 0 0 1 1 1 1 1 0 0

where the first word is the device name and the 0-1 values represent the statuses of the ports.
Could you help in extracting the status and associate it with the port number?
I would like to be able to extract:
port=1 status=0
port=2 status=0
port=3 status=0
port=4 status=1
port=5 status=0
...
for each device.
In this way, I can plot the status by port.

Does anyone know how to do it?
Thanks
Adriana

Tags (2)
Reply

sdaniels
Splunk Employee
Splunk Employee
‎09-21-2012 07:24 AM

Assuming each line is one event. You can put these in the appropriate files under your user at /etc/users//local. If the file doesn't exist just create a new file for it.

Once the data is broken into the different port numbers you can do a search like this:

sourcetype="your_sourcetype" | table PortName, Port1, Port2, Port3, Port4, Port5, Port6, Port7, Port8, Port9, Port10

inputs.conf 

[monitor:///Users/path/path/file.txt]
disabled = false
followTail = 0
sourcetype = your_sourcetype

props.conf

[your_sourcetype]
SHOULD_LINEMERGE = false
REPORT-testdata = your_extractions

transforms.conf

[your_extractions]
DELIMS = " "
FIELDS = "PortName", "Port1", "Port2","Port3", "Port4","Port5", "Port6","Port7", "Port8","Port9", "Port10"
Reply

sdaniels
Splunk Employee
Splunk Employee
‎09-21-2012 07:42 AM

If you put this to a chart you will get a column chart with a legend that has a color for each Port. With this data I have three Port Names on the x axis and for each one there is a bar for value 1 or nothing if it is 0.

0 Karma
Reply

atelesca
Explorer
‎09-21-2012 07:33 AM

I would like a column graph where the columns is the status (0-1) in correspondence of the port number (1-2-3-4).
x1=1 y1=Port1 x2=2 y2=Port2 x3=3 y3=Port3

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎09-21-2012 07:30 AM

What do you want the graph to look like?

Reply

atelesca
Explorer
‎09-21-2012 07:26 AM

Hello, thanks for your answer. I though of that, but then I don't know how to have a graph showing the different status by port number. Do you have any idea of how to do that?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...