Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you add a blank row after each unique host in search results?

kenntun
Engager
‎01-13-2019 08:26 PM

I have a search statement in a customized dashboard to show the disk utilization of my servers. I would like to add a blank row after each unique server, such as follows:

Current:

host          mount     Disk size(GB)    Free(GB)   
host1        /            5.0           3.0 
host1        /etc          5.0           2.4
host2        /             10.0         4.0 
host2        /etc          20.0        14.0
host2        /var          15.0        8.9
host3        /            15.0        6.0 
host3        /mnt         15.0        10.3

What I wanted:

host          mount     Disk size(GB)    Free(GB)   
host1        /            5.0           3.0 
host1        /etc          5.0           2.4

host2        /             10.0         4.0 
host2        /etc          20.0        14.0
host2        /var          15.0        8.9

host3        /            15.0        6.0 
host3        /mnt         15.0        10.3

Note: Not all servers have the same number of mounts.

My search statement:

| tstats latest(JFS.storage) AS storage, latest(JFS.storage_free) AS storage_free, latest(JFS.storage_used) AS storage_used, latest(JFS.storage_used_percent) AS storage_used_percent from datamodel=NMON_Data_JFS
where (nodename = JFS.DF_STORAGE) (host=$host-prefilter$) ($frameID$) ($osfilter$) ($host$) ($mount$) (JFS.mount=$fsfilter$) groupby host JFS.mount prestats=true
| stats dedup_splitvals=t latest(JFS.storage) AS storage, latest(JFS.storage_free) AS storage_free, latest(JFS.storage_used) AS storage_used, latest(JFS.storage_used_percent) AS storage_used_percent by host JFS.mount
| sort limit=0 host
| rename "JFS.mount" AS "mount"
| fields host, mount, storage, storage_free,storage_used,storage_used_percent
| foreach storage storage_free storage_used [ eval <<FIELD>> = round(('<<FIELD>>'$df_storage_unit_math$), 2) ]
| rename storage as "Disk Size ($df_storage_unit_legend$)", storage_free as "Free ($df_storage_unit_legend$)", storage_used as "Used ($df_storage_unit_legend$)", storage_used_percent as "Used (%)"
| eval UsedPct=if(isnum('Used (%)'), 'Used (%)', 0 )
| fields host, mount, "Disk Size ($df_storage_unit_legend$)", "Free ($df_storage_unit_legend$)", "Used ($df_storage_unit_legend$)", "Used (%)"
| eval "Used (%)" = if(isnull('storage used (%)'), (('Used ($df_storage_unit_legend$)'/'Disk Size ($df_storage_unit_legend$)')*100), 'Used (%)')
| foreach storage*%* [ eval <<FIELD>> = round('<<FIELD>>', 2) ]
0 Karma
Reply

askkawalkar
Path Finder
‎01-14-2019 02:52 AM

Hi @kenntun ,

I have used above data as input and loaded it into Splunk. Below is one possible solution. I hope this solution can help you.
P.S.: I have used sorting on the basis of hostname and mount and accordingly. 

| makeresults 
 | eval data="host1,x, , ;host2,x, , ;host3,x, , " 
 | makemv data delim=";" 
 | mvexpand data 
 | makemv data delim="," 
| eval hostval=mvindex(data,0),mount=mvindex(data,1),Disksize=mvindex(data,2),Free=mvindex(data,3)
| table hostval,mount,Disksize,Free
| append
    [search index=test source="C:\\Splunk_Data\\Test\\testdata_splunk.csv"
| dedup hostval,mount
| table hostval,mount,Disksize,Free
]
| sort hostval,mount
| eval hostval=if(mount="x","",hostval),mount=if(mount="x"," ",mount)
0 Karma
Reply

kenntun
Engager
‎01-13-2019 09:48 PM

Could you elaborate more? Thanks a lot

0 Karma
Reply

shrikantgulia1
New Member
‎01-13-2019 09:17 PM

you can also use fillnull

0 Karma
Reply

shrikantgulia1
New Member
‎01-13-2019 09:16 PM

Hello,
Please look.... this may be of some use

https://answers.splunk.com/answers/399417/add-a-blank-row-in-the-table.html

Regards

0 Karma
Reply

kenntun
Engager
‎01-14-2019 01:07 AM

Any methods to compare string values of two different rows with something like an if -else statement?

0 Karma
Reply

shrikantgulia1
New Member
‎01-14-2019 01:10 AM

fillnull value="as" test,

this is used when you dont have any vale in a field and you give it a value

0 Karma
Reply

kenntun
Engager
‎01-14-2019 01:39 AM

I think you misunderstood my situation. There are no blank fields in my search results.
I've edited the question. Thanks again.

0 Karma
Reply

kenntun
Engager
‎01-14-2019 12:56 AM

Thanks for your help.
However, the situation is a bit different since the post only have to add one line in the second row, but I want to add a single line every time the value of the first column is different. Any suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...