Splunk Search

How do I append a row based on a condition to chart an output?

Path Finder

Hello All,

I need to construct SPL for below requirement.

Version P2 P3
1.10 5 0
1.11 1 3
1.9 0 2

I have 4 versions available but I can see only 3 versions as output of Chart. I want to add version 1.12 with 0 in each priority. Like below

[Version] [P1] [P2] [P3]
1.10 0 5 0
1.11 0 1 3
1.9 0 0 2
1.12 0 0 0

Thank you for your time and help!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@vikas_baranwal hope you have some kind of master lookup for all versions. To your existing search which return specific versions available in index, you can append a search to get all versions and then eval to add P1, P2 and P3 as 0. Finally perform of dedup on Version to retain the 0 value results only for versions that are missing in the index.

Following is an example:

index=someindex sourcetype=somesourcetype
| <your statistical query to get Version, P1, P2 and P3> 
| table Version P1 P2 P3 
| append 
    [| makeresults 
    | fields - _time 
    | eval Version="1.10,1.11,1.12,1.90" 
    | makemv Version delim="," 
    | mvexpand Version 
    | eval P1=0,P2=0,P3=0]
| dedup Version

PS: instead of | makeresults .... mvexpand Version, you can have inputlookup etc depending on your use case to pull the list of all available Versions.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Contributor

The idea here is to append the additional result set you have, Here is the sample search which is in line with what others have mentioned :

| makeresults 
| eval DATA="1.10 5 0,1.11 1 3,1.9 0 2" 
| makemv DATA delim="," 
| mvexpand DATA 
| eval Version=mvindex(split(DATA," "),0) 
| eval P1=mvindex(split(DATA," "),1) 
| eval P2=mvindex(split(DATA," "),2) 
| append 
    [| makeresults 
    | eval DATA="1.12 0 0 0" 
    | makemv DATA delim=" " 
    | eval Version=mvindex(DATA,0) 
    | eval P1=mvindex(DATA,1) 
    | eval P2=mvindex(DATA,2) ] | fields - DATA
0 Karma

Path Finder

Hi @macadminrohit

Thanks for all your effort and help but I got the solution from other answers in the post.

0 Karma

SplunkTrust
SplunkTrust

@vikas_baranwal hope you have some kind of master lookup for all versions. To your existing search which return specific versions available in index, you can append a search to get all versions and then eval to add P1, P2 and P3 as 0. Finally perform of dedup on Version to retain the 0 value results only for versions that are missing in the index.

Following is an example:

index=someindex sourcetype=somesourcetype
| <your statistical query to get Version, P1, P2 and P3> 
| table Version P1 P2 P3 
| append 
    [| makeresults 
    | fields - _time 
    | eval Version="1.10,1.11,1.12,1.90" 
    | makemv Version delim="," 
    | mvexpand Version 
    | eval P1=0,P2=0,P3=0]
| dedup Version

PS: instead of | makeresults .... mvexpand Version, you can have inputlookup etc depending on your use case to pull the list of all available Versions.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Path Finder

Thank you so much @niketnilay for resolution. Your solution was so accurate as per my result expectation. I apologies for, I did not provide much information in the question.

I can say only that you are The Champ 🙂 and glad to see that you checked my question and answered on that. I always try to learn from your every posts.

SplunkTrust
SplunkTrust

Thanks I am glad you got it working :). In fact these days I am rarely spending time on Answers or Slack (not even over the weekends 😉 ). So it was just a coincidence that I stumbled upon one of your questions.

Keep Splunking and keep learning. Sometimes community will help you, other times you can help the community 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

@vikas_baranwal,
Try

"your search for current result" |append [|stats count|eval Version="1.12",P2=0,P3=0|fields - count]|eval P1=0
0 Karma

Path Finder

Hi Renjith,

Thanks for your quick resolution and it was very close to resolution. I seen that @niketnilay provided solution accurately so I am accepting his answer for the question.

I will always seek your help in future for these kind of helps.

Thanks once again!

0 Karma