Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you add a blank row after each unique host in search results?

kenntun
Engager
‎01-13-2019 08:26 PM

I have a search statement in a customized dashboard to show the disk utilization of my servers. I would like to add a blank row after each unique server, such as follows:

Current:

host          mount     Disk size(GB)    Free(GB)   
host1        /            5.0           3.0 
host1        /etc          5.0           2.4
host2        /             10.0         4.0 
host2        /etc          20.0        14.0
host2        /var          15.0        8.9
host3        /            15.0        6.0 
host3        /mnt         15.0        10.3

What I wanted:

host          mount     Disk size(GB)    Free(GB)   
host1        /            5.0           3.0 
host1        /etc          5.0           2.4

host2        /             10.0         4.0 
host2        /etc          20.0        14.0
host2        /var          15.0        8.9

host3        /            15.0        6.0 
host3        /mnt         15.0        10.3

Note: Not all servers have the same number of mounts.

My search statement:

| tstats latest(JFS.storage) AS storage, latest(JFS.storage_free) AS storage_free, latest(JFS.storage_used) AS storage_used, latest(JFS.storage_used_percent) AS storage_used_percent from datamodel=NMON_Data_JFS
where (nodename = JFS.DF_STORAGE) (host=$host-prefilter$) ($frameID$) ($osfilter$) ($host$) ($mount$) (JFS.mount=$fsfilter$) groupby host JFS.mount prestats=true
| stats dedup_splitvals=t latest(JFS.storage) AS storage, latest(JFS.storage_free) AS storage_free, latest(JFS.storage_used) AS storage_used, latest(JFS.storage_used_percent) AS storage_used_percent by host JFS.mount
| sort limit=0 host
| rename "JFS.mount" AS "mount"
| fields host, mount, storage, storage_free,storage_used,storage_used_percent
| foreach storage storage_free storage_used [ eval <<FIELD>> = round(('<<FIELD>>'$df_storage_unit_math$), 2) ]
| rename storage as "Disk Size ($df_storage_unit_legend$)", storage_free as "Free ($df_storage_unit_legend$)", storage_used as "Used ($df_storage_unit_legend$)", storage_used_percent as "Used (%)"
| eval UsedPct=if(isnum('Used (%)'), 'Used (%)', 0 )
| fields host, mount, "Disk Size ($df_storage_unit_legend$)", "Free ($df_storage_unit_legend$)", "Used ($df_storage_unit_legend$)", "Used (%)"
| eval "Used (%)" = if(isnull('storage used (%)'), (('Used ($df_storage_unit_legend$)'/'Disk Size ($df_storage_unit_legend$)')*100), 'Used (%)')
| foreach storage*%* [ eval <<FIELD>> = round('<<FIELD>>', 2) ]
0 Karma
Reply

askkawalkar
Path Finder
‎01-14-2019 02:52 AM

Hi @kenntun ,

I have used above data as input and loaded it into Splunk. Below is one possible solution. I hope this solution can help you.
P.S.: I have used sorting on the basis of hostname and mount and accordingly. 

| makeresults 
 | eval data="host1,x, , ;host2,x, , ;host3,x, , " 
 | makemv data delim=";" 
 | mvexpand data 
 | makemv data delim="," 
| eval hostval=mvindex(data,0),mount=mvindex(data,1),Disksize=mvindex(data,2),Free=mvindex(data,3)
| table hostval,mount,Disksize,Free
| append
    [search index=test source="C:\\Splunk_Data\\Test\\testdata_splunk.csv"
| dedup hostval,mount
| table hostval,mount,Disksize,Free
]
| sort hostval,mount
| eval hostval=if(mount="x","",hostval),mount=if(mount="x"," ",mount)
0 Karma
Reply

kenntun
Engager
‎01-13-2019 09:48 PM

Could you elaborate more? Thanks a lot

0 Karma
Reply

shrikantgulia1
New Member
‎01-13-2019 09:17 PM

you can also use fillnull

0 Karma
Reply

shrikantgulia1
New Member
‎01-13-2019 09:16 PM

Hello,
Please look.... this may be of some use

https://answers.splunk.com/answers/399417/add-a-blank-row-in-the-table.html

Regards

0 Karma
Reply

kenntun
Engager
‎01-14-2019 01:07 AM

Any methods to compare string values of two different rows with something like an if -else statement?

0 Karma
Reply

shrikantgulia1
New Member
‎01-14-2019 01:10 AM

fillnull value="as" test,

this is used when you dont have any vale in a field and you give it a value

0 Karma
Reply

kenntun
Engager
‎01-14-2019 01:39 AM

I think you misunderstood my situation. There are no blank fields in my search results.
I've edited the question. Thanks again.

0 Karma
Reply

kenntun
Engager
‎01-14-2019 12:56 AM

Thanks for your help.
However, the situation is a bit different since the post only have to add one line in the second row, but I want to add a single line every time the value of the first column is different. Any suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...