Hello All,
I need to construct SPL for below requirement.
Version P2  P3
1.10     5  0
1.11     1  3
1.9          0  2
I have 4 versions available but I can see only 3 versions as output of Chart. I want to add version 1.12 with 0 in each priority. Like below
[Version]   [P1]   [P2]  [P3]
1.10        0        5  0
1.11        0        1  3
 1.9                0        0  2
1.12            0        0        0
Thank you for your time and help!
 
					
				
		
@vikas_baranwal hope you have some kind of master lookup for all versions. To your existing search which return specific versions available in index, you can append a search to get all versions and then eval to add P1, P2 and P3 as 0. Finally perform of dedup on Version to retain the 0 value results only for versions that are missing in the index.
Following is an example:
index=someindex sourcetype=somesourcetype
| <your statistical query to get Version, P1, P2 and P3> 
| table Version P1 P2 P3 
| append 
    [| makeresults 
    | fields - _time 
    | eval Version="1.10,1.11,1.12,1.90" 
    | makemv Version delim="," 
    | mvexpand Version 
    | eval P1=0,P2=0,P3=0]
| dedup Version
PS: instead of | makeresults .... mvexpand Version, you can have inputlookup etc depending on your use case to pull the list of all available Versions.
Please try out and confirm!
 
					
				
		
The idea here is to append the additional result set you have, Here is the sample search which is in line with what others have mentioned :
| makeresults 
| eval DATA="1.10 5 0,1.11 1 3,1.9 0 2" 
| makemv DATA delim="," 
| mvexpand DATA 
| eval Version=mvindex(split(DATA," "),0) 
| eval P1=mvindex(split(DATA," "),1) 
| eval P2=mvindex(split(DATA," "),2) 
| append 
    [| makeresults 
    | eval DATA="1.12 0 0 0" 
    | makemv DATA delim=" " 
    | eval Version=mvindex(DATA,0) 
    | eval P1=mvindex(DATA,1) 
    | eval P2=mvindex(DATA,2) ] | fields - DATA
Hi @macadminrohit
Thanks for all your effort and help but I got the solution from other answers in the post.
 
					
				
		
@vikas_baranwal hope you have some kind of master lookup for all versions. To your existing search which return specific versions available in index, you can append a search to get all versions and then eval to add P1, P2 and P3 as 0. Finally perform of dedup on Version to retain the 0 value results only for versions that are missing in the index.
Following is an example:
index=someindex sourcetype=somesourcetype
| <your statistical query to get Version, P1, P2 and P3> 
| table Version P1 P2 P3 
| append 
    [| makeresults 
    | fields - _time 
    | eval Version="1.10,1.11,1.12,1.90" 
    | makemv Version delim="," 
    | mvexpand Version 
    | eval P1=0,P2=0,P3=0]
| dedup Version
PS: instead of | makeresults .... mvexpand Version, you can have inputlookup etc depending on your use case to pull the list of all available Versions.
Please try out and confirm!
Thank you so much @niketnilay for resolution. Your solution was so accurate as per my result expectation. I apologies for, I did not provide much information in the question.
I can say only that you are The Champ 🙂 and glad to see that you checked my question and answered on that. I always try to learn from your every posts.
 
					
				
		
Thanks I am glad you got it working :). In fact these days I am rarely spending time on Answers or Slack (not even over the weekends 😉 ). So it was just a coincidence that I stumbled upon one of your questions.
Keep Splunking and keep learning. Sometimes community will help you, other times you can help the community 😉
 
					
				
		
@vikas_baranwal,
Try
"your search for current result" |append [|stats count|eval Version="1.12",P2=0,P3=0|fields - count]|eval P1=0
Hi Renjith,
Thanks for your quick resolution and it was very close to resolution. I seen that @niketnilay provided solution accurately so I am accepting his answer for the question.
I will always seek your help in future for these kind of helps.
Thanks once again!
