Splunk Search

How to convert the Row data into 1 column

Real_captain
Explorer

Hi 
Can you please let me know how i can display the below 3 rows in a single row :

Real_captain_0-1713359395340.png

 

Query : 
index=events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console (TERM(VVF119P)) ("- ENDED" OR "- STARTED" OR "PURGED --")
| rex field=TEXT "(VVF119P -)(?<Function>[^\-]+)"
| fillnull Function value=" PURGED"
| eval DAT = strftime(relative_time(_time, "+0h"), "%Y/%m/%d")
| rename DAT as Date_of_reception
| table JOBNAME,Date_of_reception ,Function , _time
| sort _time

 

I want to display the result in the below format: 

| JOBNAME | Date_of_reception | STARTED_TIME | ENDED_TIME | PURGED_TIME|
| $VVF119P | 2024/04/17 | 02:12:37 | 02:12:46 | 02:12:50

 

Thanks in advance. 

Labels (1)
0 Karma

Real_captain
Explorer

This give me the result in the below format. 

Real_captain_0-1713363865573.png

 

 

is it possible to have 1 more field in the table and sort the columns in the below order:

| JOBNAME | Date_of_reception | STARTED_TIME | ENDED_TIME | PURGED_TIME| Diff Between STARTED_TIME and ENDED_TIME | 
| $VVF119P | 2024/04/17 | 02:12:37 | 02:12:46 | 02:12:50 | 00:00:09| 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| eval {Function}_TIME=_time
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME
| eval Diff=ENDED_TIME-STARTED_TIME
| fieldformat STARTED_TIME=strftime(STARTED_TIME,"%H:%M:%S")
| fieldformat ENDED_TIME=strftime(ENDED_TIME,"%H:%M:%S")
| fieldformat PURGED_TIME=strftime(PURGED_TIME,"%H:%M:%S")
| fieldformat Diff=tostring(Diff,"duration")
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console (TERM(VVF119P)) ("- ENDED" OR "- STARTED" OR "PURGED --")
| rex field=TEXT "(VVF119P -)(?<Function>[^\-]+)"
| fillnull Function value=" PURGED"
| eval DAT = strftime(relative_time(_time, "+0h"), "%Y/%m/%d")
| rename DAT as Date_of_reception
| table JOBNAME,Date_of_reception ,Function , _time
| sort _time
| eval {Function}_TIME=strftime(_time,"%H:%M:%S")
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME
0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...