Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I convert results to an X-Y table?

claatu
Explorer
‎10-05-2018 10:52 AM

I have query results that look like this:

Risk      Age     Total
High     gt30    16
High     gt60      3
High     gt90   184
Low      gt30      4
Low      gt60    42
Low      gt90     84

I want it to be in this X-Y table format where X is Age and Y is Risk:

alt text

And note that there is no result for Med risk, but that has to be accounted for in the end formatted table as zeroes.

How the Splunk do I get that to happen?

Alternatively, I can get the results in this form, with zeroes for Med:
alt text

But then, how do you convert that into the desired X-Y table format?

Tags (2)
Preview file
14 KB
Preview file
11 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-05-2018 11:39 AM

@claatu

Can you please try this?

YOUR_SEARCH
| table Risk Age Total
| append [|makeresults| eval Risk="High,Med,Low",Risk=split(Risk,","),Age="gt30,gt60,gt90",Age=split(Age,","),order="1,3,2",order=split(order,",") | mvexpand Risk] | fillnull value=0 Total 
| chart sum(Total) over Risk by Age |eval priority = if (Risk="High",1,if(Risk="Med",2,if(Risk="Low",3,4)))| sort priority | fields - priority

My Sample search:

| makeresults 
| eval data="High gt30 16|High gt60 3|High gt90 184|Low gt30 4|Low gt60 42|Low gt90 84|Med gt90 8" , data=split(data,"|") 
| mvexpand data 
| eval Risk=mvindex(split(data," "),0),Age=mvindex(split(data," "),1),Total=mvindex(split(data," "),2) 
| table Risk Age Total
| append [|makeresults| eval Risk="High,Med,Low",Risk=split(Risk,","),Age="gt30,gt60,gt90",Age=split(Age,","),order="1,3,2",order=split(order,",") | mvexpand Risk] | fillnull value=0 Total 
| chart sum(Total) over Risk by Age |eval priority = if (Risk="High",1,if(Risk="Med",2,if(Risk="Low",3,4)))| sort priority | fields - priority

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-05-2018 11:39 AM

@claatu

Can you please try this?

YOUR_SEARCH
| table Risk Age Total
| append [|makeresults| eval Risk="High,Med,Low",Risk=split(Risk,","),Age="gt30,gt60,gt90",Age=split(Age,","),order="1,3,2",order=split(order,",") | mvexpand Risk] | fillnull value=0 Total 
| chart sum(Total) over Risk by Age |eval priority = if (Risk="High",1,if(Risk="Med",2,if(Risk="Low",3,4)))| sort priority | fields - priority

My Sample search:

| makeresults 
| eval data="High gt30 16|High gt60 3|High gt90 184|Low gt30 4|Low gt60 42|Low gt90 84|Med gt90 8" , data=split(data,"|") 
| mvexpand data 
| eval Risk=mvindex(split(data," "),0),Age=mvindex(split(data," "),1),Total=mvindex(split(data," "),2) 
| table Risk Age Total
| append [|makeresults| eval Risk="High,Med,Low",Risk=split(Risk,","),Age="gt30,gt60,gt90",Age=split(Age,","),order="1,3,2",order=split(order,",") | mvexpand Risk] | fillnull value=0 Total 
| chart sum(Total) over Risk by Age |eval priority = if (Risk="High",1,if(Risk="Med",2,if(Risk="Low",3,4)))| sort priority | fields - priority

Thanks

0 Karma
Reply
Solved! Jump to solution

claatu
Explorer
‎10-05-2018 11:55 AM

Wow, that works! Is there a way to make it sort like this:
High
Med
Low

instead of
High
Low
Med

?

0 Karma
Reply
Solved! Jump to solution

claatu
Explorer
‎10-05-2018 12:11 PM

Figured it out.

| eval sort_field=case(Risk="High",1, Risk="Med",2, Risk="Low",3) | sort sort_field | fields Risk gt30 gt60 gt90

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎10-05-2018 12:11 PM

Yes you can create a new field and assign numbers to it at the end of your code, add this -

eval priority = if (risk="High",1,if(risk="Medieum",2,if(risk="Low",3,4)))| sort priority | fields - priority

Reply
Solved! Jump to solution

Vijeta
Influencer
‎10-05-2018 11:20 AM

If you have this data
Risk Age Total
High gt30 16
High gt60 3
High gt90 184
Low gt30 4
Low gt60 42
Low gt90 84

you can have query as chart sum(total) by risk age

0 Karma
Reply
Solved! Jump to solution

claatu
Explorer
‎10-05-2018 11:47 AM

This method does not produce a zero result for the Med column.

0 Karma
Reply
Solved! Jump to solution

vinaykata
Path Finder
‎10-05-2018 11:17 AM

can you post the query you're using now

0 Karma
Reply
Solved! Jump to solution

claatu
Explorer
‎10-05-2018 11:28 AM

It's really long and involved so I don't want to post that here. But if you want to experiment you can just create a lookup table per the results I first mentioned (or the alternative results), and do an |inputlookup on it and go from there.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...