Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I put multi-value fields as columns and put checks were they are present ?

Charlotte94
New Member
‎08-11-2017 07:54 AM

Hello everyone, I'm just beginning to use Splunk and iIwant to do this :

alt text

I already tried this : 

index="************" 
|fields tag, id
| mvexpand tag
|dedup tag
|chart limit=0 dc(id)  by id, tag
|replace 1 with "X"
|replace 0 with ""

But it doesn't work like I want, I lost some data when I dedup on tag...

What am I doing wrong? Could you help me?

Thank you for your time !

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2017 12:59 PM

Just add this:

| chart count OVER _time BY tag
| fields - NULL
| replace 1 with "*" 0 with ""
0 Karma
Reply

DalJeanis
Legend
‎08-11-2017 12:32 PM

We had to leave a blank value in there to have that day with no tags remain in the chart.

Here's a run anywhere sample... 

| gentimes start=07/31/17 end=8/1/17
| eval mydata="+10d,a b c d e f!!!!+11d,b e f!!!!+12d,c e a d!!!!+13d,a c f!!!!+14d,f!!!!+15d,b!!!!+16d,((none))!!!!+17d,g" 
| makemv DELIM="!!!!" mydata
| mvexpand mydata
| makemv DELIM="," mydata
| eval _time=relative_time(starttime,mvindex(mydata,0))
| eval tag=split(mvindex(mydata,1)," ")
| table _time tag
| mvexpand tag
| eval unit=1
| eval tag=if(tag="((none))"," ",tag)
| chart limit=0 eval(case(tag=" "," ",max(unit)>0,"X",true(),null())) over _time by tag

...with these results... (there is a blank column to the left of a)....

_time             a  b  c  d  e  f  g  
2017-08-10        X  X  X  X  X  X    
2017-08-11           X        X  X    
2017-08-12        X     X  X  X      
2017-08-13        X     X        X    
2017-08-14                       X    
2017-08-15           X            
2017-08-16                     
2017-08-17                          X
0 Karma
Reply

somesoni2
Revered Legend
‎08-11-2017 09:43 AM

I don't think you should be doing dedup. If your tag field is multivalued field and you want to show combinations of a id and tag, don't do dedup. Remove it and see if gives the output you want.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌 Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...