Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to count from raw lines?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lot of RAW data with this format:
date_time,serverA,down
date_time,serverB,down
date_time,serverA,down
date_time,serverA,down
date_time,serverA,up
date_time,serverB,up
How to count that raw data so we can have the following result?
server | up | down|
serverA | 1 | 3 |
serverB | 1 | 1 |
Thanks,
Andi
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ndiphe13, following is a run anywhere search based on the sample data and output provided in the question. The commands from | makeresults till | rename data as _raw generate the mock data. You can use your base search instead.
| makeresults
| eval data="date_time,serverA,down;date_time,serverB,down;date_time,serverA,down;date_time,serverA,down;date_time,serverA,up;date_time,serverB,up"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| makemv _raw delim=","
| eval server=mvindex(_raw,1),status=mvindex(_raw,2)
| chart count over server by status
PS: Since you already have command delimited data, you can use props.conf to generate the fields server and status during search time. That way you will not require makemv and eval commands
<YourBaseSearch>
| chart count over server by status
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ndiphe13, following is a run anywhere search based on the sample data and output provided in the question. The commands from | makeresults till | rename data as _raw generate the mock data. You can use your base search instead.
| makeresults
| eval data="date_time,serverA,down;date_time,serverB,down;date_time,serverA,down;date_time,serverA,down;date_time,serverA,up;date_time,serverB,up"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| makemv _raw delim=","
| eval server=mvindex(_raw,1),status=mvindex(_raw,2)
| chart count over server by status
PS: Since you already have command delimited data, you can use props.conf to generate the fields server and status during search time. That way you will not require makemv and eval commands
<YourBaseSearch>
| chart count over server by status
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @niketnilay for your great sharing. Ive done some changes in the props.conf and transform.conf. The output is exactly what I am expected.
props.conf
[syslog]
REPORT-fields=commafields
transform.conf
[commafields]
DELIMS = ","
FIELDS = date_time, server, sensor, status, remark
My Search
<MyBaseSearch> | chart count over server by status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect!!! Way to go. 🙂
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
