Solved: Re: How to create multiple events with different v...

djoobbani · ‎11-10-2023

Hi there:

I have the following makeresults query:

| makeresults count=3
| eval source="abc"
| eval msg="consumed"
| eval time_1="2023-11-09T21:33:05Z"
| eval time_2="2023-11-09T21:40:05Z"

So i want to create three different events where the values for time_1 & time_2 are different for each event.
How can i do that?

Thanks!

tscroggins · ‎11-11-2023

You could just create one event instead of three, or in the example, just return the first event:

| head 1

If you're working with ISO time strings but unknown times in an unknown order, you can sort lexicographically:

| sort time_1
| head 1

If the time format is known but not necessarily in ISO format, you can convert time_1 to an epoch value using the appropriate format string (still ISO in this example) and sort the result:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| sort time_1_epoch
| head 1

If multiple events have the same time_1 value, you can use eventstats and where:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| eventstats min(time_1_epoch) as min_time_1
| where time_1_epoch==min_time_1

View solution in original post

tscroggins · ‎11-10-2023

Hi @djoobbani,

I find the simplest way to generate multiple events is a combination of makeresults, eval, and mvexpand:

| makeresults
| eval source="abc"
| eval msg="consumed"
| eval time_pairs=split("2023-11-09T21:33:05Z,2023-11-09T21:40:05Z|2023-11-09T21:34:05Z,2023-11-09T21:41:05Z|2023-11-09T21:35:05Z,2023-11-09T21:42:05Z", "|")
| mvexpand time_pairs
| eval time_pairs=split(time_pairs, ",")
| eval time_1=mvindex(time_pairs, 0), time_2=mvindex(time_pairs, 1)
| fields - time_pairs

You can also use streamstats count combined with eval case:

| makeresults count=3
| eval source="abc"
| eval msg="consumed"
| streamstats count
| eval time_1=case(count==1, "2023-11-09T21:33:05Z", count==2, "2023-11-09T21:34:05Z", count==3, "2023-11-09T21:35:05Z")
| eval time_2=case(count==1, "2023-11-09T21:40:05Z", count==2, "2023-11-09T21:41:05Z", count==3, "2023-11-09T21:42:05Z")
| fields - count

These are just two examples. You can be as creative as needed.

djoobbani · ‎11-10-2023

Thank you, how would i be able to reduce the result by only displaying the row with the earliest time (time_1 field)?

Thanks!

tscroggins · ‎11-11-2023

You could just create one event instead of three, or in the example, just return the first event:

| head 1

If you're working with ISO time strings but unknown times in an unknown order, you can sort lexicographically:

| sort time_1
| head 1

If the time format is known but not necessarily in ISO format, you can convert time_1 to an epoch value using the appropriate format string (still ISO in this example) and sort the result:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| sort time_1_epoch
| head 1

If multiple events have the same time_1 value, you can use eventstats and where:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| eventstats min(time_1_epoch) as min_time_1
| where time_1_epoch==min_time_1

djoobbani · ‎11-11-2023

Thank you very much for the solution!

How to create multiple events with different values using makeresults

count

stats

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?