Splunk Search

How do I append a row based on a condition to chart an output?

Path Finder

Hello All,

I need to construct SPL for below requirement.

Version P2 P3
1.10 5 0
1.11 1 3
1.9 0 2

I have 4 versions available but I can see only 3 versions as output of Chart. I want to add version 1.12 with 0 in each priority. Like below

[Version] [P1] [P2] [P3]
1.10 0 5 0
1.11 0 1 3
1.9 0 0 2
1.12 0 0 0

Thank you for your time and help!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@vikas_baranwal hope you have some kind of master lookup for all versions. To your existing search which return specific versions available in index, you can append a search to get all versions and then eval to add P1, P2 and P3 as 0. Finally perform of dedup on Version to retain the 0 value results only for versions that are missing in the index.

Following is an example:

index=someindex sourcetype=somesourcetype
| <your statistical query to get Version, P1, P2 and P3> 
| table Version P1 P2 P3 
| append 
    [| makeresults 
    | fields - _time 
    | eval Version="1.10,1.11,1.12,1.90" 
    | makemv Version delim="," 
    | mvexpand Version 
    | eval P1=0,P2=0,P3=0]
| dedup Version

PS: instead of | makeresults .... mvexpand Version, you can have inputlookup etc depending on your use case to pull the list of all available Versions.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Contributor

The idea here is to append the additional result set you have, Here is the sample search which is in line with what others have mentioned :

| makeresults 
| eval DATA="1.10 5 0,1.11 1 3,1.9 0 2" 
| makemv DATA delim="," 
| mvexpand DATA 
| eval Version=mvindex(split(DATA," "),0) 
| eval P1=mvindex(split(DATA," "),1) 
| eval P2=mvindex(split(DATA," "),2) 
| append 
    [| makeresults 
    | eval DATA="1.12 0 0 0" 
    | makemv DATA delim=" " 
    | eval Version=mvindex(DATA,0) 
    | eval P1=mvindex(DATA,1) 
    | eval P2=mvindex(DATA,2) ] | fields - DATA
0 Karma

Path Finder

Hi @macadminrohit

Thanks for all your effort and help but I got the solution from other answers in the post.

0 Karma

SplunkTrust
SplunkTrust

@vikas_baranwal hope you have some kind of master lookup for all versions. To your existing search which return specific versions available in index, you can append a search to get all versions and then eval to add P1, P2 and P3 as 0. Finally perform of dedup on Version to retain the 0 value results only for versions that are missing in the index.

Following is an example:

index=someindex sourcetype=somesourcetype
| <your statistical query to get Version, P1, P2 and P3> 
| table Version P1 P2 P3 
| append 
    [| makeresults 
    | fields - _time 
    | eval Version="1.10,1.11,1.12,1.90" 
    | makemv Version delim="," 
    | mvexpand Version 
    | eval P1=0,P2=0,P3=0]
| dedup Version

PS: instead of | makeresults .... mvexpand Version, you can have inputlookup etc depending on your use case to pull the list of all available Versions.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Path Finder

Thank you so much @niketnilay for resolution. Your solution was so accurate as per my result expectation. I apologies for, I did not provide much information in the question.

I can say only that you are The Champ 🙂 and glad to see that you checked my question and answered on that. I always try to learn from your every posts.

SplunkTrust
SplunkTrust

Thanks I am glad you got it working :). In fact these days I am rarely spending time on Answers or Slack (not even over the weekends 😉 ). So it was just a coincidence that I stumbled upon one of your questions.

Keep Splunking and keep learning. Sometimes community will help you, other times you can help the community 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

@vikas_baranwal,
Try

"your search for current result" |append [|stats count|eval Version="1.12",P2=0,P3=0|fields - count]|eval P1=0
0 Karma

Path Finder

Hi Renjith,

Thanks for your quick resolution and it was very close to resolution. I seen that @niketnilay provided solution accurately so I am accepting his answer for the question.

I will always seek your help in future for these kind of helps.

Thanks once again!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!