Solved: How to create multiple events with different value...

djoobbani · ‎11-10-2023

Hi there:

I have the following makeresults query:

| makeresults count=3
| eval source="abc"
| eval msg="consumed"
| eval time_1="2023-11-09T21:33:05Z"
| eval time_2="2023-11-09T21:40:05Z"

So i want to create three different events where the values for time_1 & time_2 are different for each event.
How can i do that?

Thanks!

tscroggins · ‎11-11-2023

You could just create one event instead of three, or in the example, just return the first event:

| head 1

If you're working with ISO time strings but unknown times in an unknown order, you can sort lexicographically:

| sort time_1
| head 1

If the time format is known but not necessarily in ISO format, you can convert time_1 to an epoch value using the appropriate format string (still ISO in this example) and sort the result:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| sort time_1_epoch
| head 1

If multiple events have the same time_1 value, you can use eventstats and where:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| eventstats min(time_1_epoch) as min_time_1
| where time_1_epoch==min_time_1

View solution in original post

tscroggins · ‎11-10-2023

Hi @djoobbani,

I find the simplest way to generate multiple events is a combination of makeresults, eval, and mvexpand:

| makeresults
| eval source="abc"
| eval msg="consumed"
| eval time_pairs=split("2023-11-09T21:33:05Z,2023-11-09T21:40:05Z|2023-11-09T21:34:05Z,2023-11-09T21:41:05Z|2023-11-09T21:35:05Z,2023-11-09T21:42:05Z", "|")
| mvexpand time_pairs
| eval time_pairs=split(time_pairs, ",")
| eval time_1=mvindex(time_pairs, 0), time_2=mvindex(time_pairs, 1)
| fields - time_pairs

You can also use streamstats count combined with eval case:

| makeresults count=3
| eval source="abc"
| eval msg="consumed"
| streamstats count
| eval time_1=case(count==1, "2023-11-09T21:33:05Z", count==2, "2023-11-09T21:34:05Z", count==3, "2023-11-09T21:35:05Z")
| eval time_2=case(count==1, "2023-11-09T21:40:05Z", count==2, "2023-11-09T21:41:05Z", count==3, "2023-11-09T21:42:05Z")
| fields - count

These are just two examples. You can be as creative as needed.

djoobbani · ‎11-10-2023

Thank you, how would i be able to reduce the result by only displaying the row with the earliest time (time_1 field)?

Thanks!

tscroggins · ‎11-11-2023

You could just create one event instead of three, or in the example, just return the first event:

| head 1

If you're working with ISO time strings but unknown times in an unknown order, you can sort lexicographically:

| sort time_1
| head 1

If the time format is known but not necessarily in ISO format, you can convert time_1 to an epoch value using the appropriate format string (still ISO in this example) and sort the result:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| sort time_1_epoch
| head 1

If multiple events have the same time_1 value, you can use eventstats and where:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| eventstats min(time_1_epoch) as min_time_1
| where time_1_epoch==min_time_1

djoobbani · ‎11-11-2023

Thank you very much for the solution!

How to create multiple events with different values using makeresults

count

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

.conf26 Registration is Live: Secure Your Early Bird Pass Now

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Join the Conversation