Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract more values for the same item in one row

atelesca
Explorer
‎09-21-2012 06:39 AM

Hello,
I have the following output of a script:
fcs1 0 0 0 1 0 1 0 1 1 1
fcs2 0 0 0 1 1 1 0 0 0 0
fcs3 0 0 0 1 1 1 1 1 0 0

where the first word is the device name and the 0-1 values represent the statuses of the ports.
Could you help in extracting the status and associate it with the port number?
I would like to be able to extract:
port=1 status=0
port=2 status=0
port=3 status=0
port=4 status=1
port=5 status=0
...
for each device.
In this way, I can plot the status by port.

Does anyone know how to do it?
Thanks
Adriana

Tags (2)
Reply

sdaniels
Splunk Employee
Splunk Employee
‎09-21-2012 07:24 AM

Assuming each line is one event. You can put these in the appropriate files under your user at /etc/users//local. If the file doesn't exist just create a new file for it.

Once the data is broken into the different port numbers you can do a search like this:

sourcetype="your_sourcetype" | table PortName, Port1, Port2, Port3, Port4, Port5, Port6, Port7, Port8, Port9, Port10

inputs.conf 

[monitor:///Users/path/path/file.txt]
disabled = false
followTail = 0
sourcetype = your_sourcetype

props.conf

[your_sourcetype]
SHOULD_LINEMERGE = false
REPORT-testdata = your_extractions

transforms.conf

[your_extractions]
DELIMS = " "
FIELDS = "PortName", "Port1", "Port2","Port3", "Port4","Port5", "Port6","Port7", "Port8","Port9", "Port10"
Reply

sdaniels
Splunk Employee
Splunk Employee
‎09-21-2012 07:42 AM

If you put this to a chart you will get a column chart with a legend that has a color for each Port. With this data I have three Port Names on the x axis and for each one there is a bar for value 1 or nothing if it is 0.

0 Karma
Reply

atelesca
Explorer
‎09-21-2012 07:33 AM

I would like a column graph where the columns is the status (0-1) in correspondence of the port number (1-2-3-4).
x1=1 y1=Port1 x2=2 y2=Port2 x3=3 y3=Port3

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎09-21-2012 07:30 AM

What do you want the graph to look like?

Reply

atelesca
Explorer
‎09-21-2012 07:26 AM

Hello, thanks for your answer. I though of that, but then I don't know how to have a graph showing the different status by port number. Do you have any idea of how to do that?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...