Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I append a row based on a condition to chart an output?

vikas_baranwal
Path Finder
‎12-11-2018 10:12 PM

Hello All,

I need to construct SPL for below requirement.

Version P2 P3
1.10 5 0
1.11 1 3
1.9 0 2

I have 4 versions available but I can see only 3 versions as output of Chart. I want to add version 1.12 with 0 in each priority. Like below

[Version] [P1] [P2] [P3]
1.10 0 5 0
1.11 0 1 3
1.9 0 0 2
1.12 0 0 0

Thank you for your time and help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎12-12-2018 06:28 AM

@vikas_baranwal hope you have some kind of master lookup for all versions. To your existing search which return specific versions available in index, you can append a search to get all versions and then eval to add P1, P2 and P3 as 0. Finally perform of dedup on Version to retain the 0 value results only for versions that are missing in the index.

Following is an example:

index=someindex sourcetype=somesourcetype
| <your statistical query to get Version, P1, P2 and P3> 
| table Version P1 P2 P3 
| append 
    [| makeresults 
    | fields - _time 
    | eval Version="1.10,1.11,1.12,1.90" 
    | makemv Version delim="," 
    | mvexpand Version 
    | eval P1=0,P2=0,P3=0]
| dedup Version

PS: instead of | makeresults .... mvexpand Version, you can have inputlookup etc depending on your use case to pull the list of all available Versions.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

macadminrohit
Contributor
‎12-12-2018 09:59 AM

The idea here is to append the additional result set you have, Here is the sample search which is in line with what others have mentioned :

| makeresults 
| eval DATA="1.10 5 0,1.11 1 3,1.9 0 2" 
| makemv DATA delim="," 
| mvexpand DATA 
| eval Version=mvindex(split(DATA," "),0) 
| eval P1=mvindex(split(DATA," "),1) 
| eval P2=mvindex(split(DATA," "),2) 
| append 
    [| makeresults 
    | eval DATA="1.12 0 0 0" 
    | makemv DATA delim=" " 
    | eval Version=mvindex(DATA,0) 
    | eval P1=mvindex(DATA,1) 
    | eval P2=mvindex(DATA,2) ] | fields - DATA
0 Karma
Reply
Solved! Jump to solution

vikas_baranwal
Path Finder
‎12-12-2018 09:25 PM

Hi @macadminrohit

Thanks for all your effort and help but I got the solution from other answers in the post.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎12-12-2018 06:28 AM

@vikas_baranwal hope you have some kind of master lookup for all versions. To your existing search which return specific versions available in index, you can append a search to get all versions and then eval to add P1, P2 and P3 as 0. Finally perform of dedup on Version to retain the 0 value results only for versions that are missing in the index.

Following is an example:

index=someindex sourcetype=somesourcetype
| <your statistical query to get Version, P1, P2 and P3> 
| table Version P1 P2 P3 
| append 
    [| makeresults 
    | fields - _time 
    | eval Version="1.10,1.11,1.12,1.90" 
    | makemv Version delim="," 
    | mvexpand Version 
    | eval P1=0,P2=0,P3=0]
| dedup Version

PS: instead of | makeresults .... mvexpand Version, you can have inputlookup etc depending on your use case to pull the list of all available Versions.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

vikas_baranwal
Path Finder
‎12-12-2018 09:26 PM

Thank you so much @niketnilay for resolution. Your solution was so accurate as per my result expectation. I apologies for, I did not provide much information in the question.

I can say only that you are The Champ 🙂 and glad to see that you checked my question and answered on that. I always try to learn from your every posts.

Reply
Solved! Jump to solution

niketn
Legend
‎12-13-2018 05:30 AM

Thanks I am glad you got it working :). In fact these days I am rarely spending time on Answers or Slack (not even over the weekends 😉 ). So it was just a coincidence that I stumbled upon one of your questions.

Keep Splunking and keep learning. Sometimes community will help you, other times you can help the community 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-12-2018 06:26 AM

@vikas_baranwal,
Try

"your search for current result" |append [|stats count|eval Version="1.12",P2=0,P3=0|fields - count]|eval P1=0
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

vikas_baranwal
Path Finder
‎12-12-2018 09:25 PM

Hi Renjith,

Thanks for your quick resolution and it was very close to resolution. I seen that @niketnilay provided solution accurately so I am accepting his answer for the question.

I will always seek your help in future for these kind of helps.

Thanks once again!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...