Splunk Search

Extract more values for the same item in one row

atelesca
Explorer

Hello,
I have the following output of a script:
fcs1 0 0 0 1 0 1 0 1 1 1
fcs2 0 0 0 1 1 1 0 0 0 0
fcs3 0 0 0 1 1 1 1 1 0 0

where the first word is the device name and the 0-1 values represent the statuses of the ports.
Could you help in extracting the status and associate it with the port number?
I would like to be able to extract:
port=1 status=0
port=2 status=0
port=3 status=0
port=4 status=1
port=5 status=0
...
for each device.
In this way, I can plot the status by port.

Does anyone know how to do it?
Thanks
Adriana

Tags (2)

sdaniels
Splunk Employee
Splunk Employee

Assuming each line is one event. You can put these in the appropriate files under your user at /etc/users//local. If the file doesn't exist just create a new file for it.

Once the data is broken into the different port numbers you can do a search like this:

sourcetype="your_sourcetype" | table PortName, Port1, Port2, Port3, Port4, Port5, Port6, Port7, Port8, Port9, Port10

inputs.conf

[monitor:///Users/path/path/file.txt]
disabled = false
followTail = 0
sourcetype = your_sourcetype

props.conf

[your_sourcetype]
SHOULD_LINEMERGE = false
REPORT-testdata = your_extractions

transforms.conf

[your_extractions]
DELIMS = " "
FIELDS = "PortName", "Port1", "Port2","Port3", "Port4","Port5", "Port6","Port7", "Port8","Port9", "Port10"  

sdaniels
Splunk Employee
Splunk Employee

If you put this to a chart you will get a column chart with a legend that has a color for each Port. With this data I have three Port Names on the x axis and for each one there is a bar for value 1 or nothing if it is 0.

0 Karma

atelesca
Explorer

I would like a column graph where the columns is the status (0-1) in correspondence of the port number (1-2-3-4).
x1=1 y1=Port1 x2=2 y2=Port2 x3=3 y3=Port3

0 Karma

sdaniels
Splunk Employee
Splunk Employee

What do you want the graph to look like?

atelesca
Explorer

Hello, thanks for your answer. I though of that, but then I don't know how to have a graph showing the different status by port number. Do you have any idea of how to do that?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...