Splunk Search

Format result table as tree or make indentations (parent-child relation)

New Member

I have following data in data in columns:

id  parent  step_name
1            Step_1
2   1       Step_1_1
3   2       Step_1_1_1
4   2       Step_1_1_2
5   1       Step_1_2
6   1       Step_1_3

I would like to format results to show parent-child relationship. It can be even graphically with spaces or - like

id  parent  step_name
1            Step_1
2   1       ->Step_1_1
3   2       --->Step_1_1_1
4   2       --->Step_1_1_2
5   1       ->Step_1_2
6   1       ->Step_1_3

I was trying to use eval, but without success

0 Karma

New Member

Update The real step names are something like: BeforeCall, AfterCall, EvaluatingXXX, Calling method ABC, etc.

0 Karma

SplunkTrust
SplunkTrust

I'm sure there's a better answer, but...

If there are all reasonably consistent, a couple of brute-force ways I thought of were to do something like eval indents_to_add=len(step_name)/4 |... Oh, I apologize: this really will be brute force.

eval ita=len(step_name)/4 | 
eval step_name=case(ita==3,"----->".step_name, ita==2,"--->".step_name, ita==1,"->".step_name,1==1,step_name)

so, we first divide the length of step_name by 4. You'll have to adjust that parameter, it may end up somewhat more complex. You could use "like" or "match" too - all sorts of things are possible. Once you have "indents_to_add" (ita because it was getting lengthy), then just run an eval case statement to prepend various things to step_name. You'll see the last case portion (1==1) is always true - at least in this universe - so it acts as a default, which says to just make it step_name without anything prepended.

I did look for a way to, say, run a rex mode=sed using a variable amount, but that doesn't seem possible. (Something like, in the case above, using " ... | rex field=step_name mode=sed "s/(.*)/-{$ita]\1/g" but again, that shouldn't work.).

0 Karma

New Member

Your brute force method won't work at all (I tried few before asking this question). Just look at point 5 and 6 they don't need one indentation. Morover my step name are not so, easy to parse with length, I just change them to make example easy to read I will add an update

0 Karma

SplunkTrust
SplunkTrust

Well, shucks.

The technique still may work if we make some changes. Your examples - "BeforeCall" and stuff like that could be possibly used with "match", but first - can you tell me that each event defines its own level and is consistent? Like, will all "BeforeCall" events be indented Y, and all "Evaluating" calls will be indented by amount X, regardless of what comes before them or after them? If that's the case (regardless of the specifics of how far each is), then we can get this done fairly easily still.

If it is not the case, and instead how far something gets indented is dependent upon both itself AND some other events (so an Evaluating that comes after a BeforeCall gets indented 4, but an Evaluating that comes after a CallingMethodC gets indented 6?) If that's the case, this is probably still possible, but might be a bit more work.

Or is it totally just a nesting problem?

Alternatively, how many different distinct things are we talking about here? 5? 50? more? Because I have ideas for those, too.

Could you post some actual data with the formatting you want? It would help immensely.

0 Karma

New Member

I have a lot of steps (usually up to 20-30, but maximum is 3000). They can have same names on different level, because every remote call can have BeforeCall and AfterCall logged.
The real data and real problem is described on https://kzhendev.wordpress.com/2015/05/18/measuring-application-performance-with-mini-profiler-and-s...
My only change is to use tab separated columns instead of JSON

0 Karma

SplunkTrust
SplunkTrust

Hi ptrstpp950, I deleted the duplicate question and hope you don't mind 😉

cheers, MuS

0 Karma

New Member

@Mus Of course 🙂 Thanks.

0 Karma