Solved: Re: How to create multiple events with different v...

djoobbani · ‎11-10-2023

Hi there:

I have the following makeresults query:

| makeresults count=3
| eval source="abc"
| eval msg="consumed"
| eval time_1="2023-11-09T21:33:05Z"
| eval time_2="2023-11-09T21:40:05Z"

So i want to create three different events where the values for time_1 & time_2 are different for each event.
How can i do that?

Thanks!

tscroggins · ‎11-11-2023

You could just create one event instead of three, or in the example, just return the first event:

| head 1

If you're working with ISO time strings but unknown times in an unknown order, you can sort lexicographically:

| sort time_1
| head 1

If the time format is known but not necessarily in ISO format, you can convert time_1 to an epoch value using the appropriate format string (still ISO in this example) and sort the result:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| sort time_1_epoch
| head 1

If multiple events have the same time_1 value, you can use eventstats and where:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| eventstats min(time_1_epoch) as min_time_1
| where time_1_epoch==min_time_1

View solution in original post

tscroggins · ‎11-10-2023

Hi @djoobbani,

I find the simplest way to generate multiple events is a combination of makeresults, eval, and mvexpand:

| makeresults
| eval source="abc"
| eval msg="consumed"
| eval time_pairs=split("2023-11-09T21:33:05Z,2023-11-09T21:40:05Z|2023-11-09T21:34:05Z,2023-11-09T21:41:05Z|2023-11-09T21:35:05Z,2023-11-09T21:42:05Z", "|")
| mvexpand time_pairs
| eval time_pairs=split(time_pairs, ",")
| eval time_1=mvindex(time_pairs, 0), time_2=mvindex(time_pairs, 1)
| fields - time_pairs

You can also use streamstats count combined with eval case:

| makeresults count=3
| eval source="abc"
| eval msg="consumed"
| streamstats count
| eval time_1=case(count==1, "2023-11-09T21:33:05Z", count==2, "2023-11-09T21:34:05Z", count==3, "2023-11-09T21:35:05Z")
| eval time_2=case(count==1, "2023-11-09T21:40:05Z", count==2, "2023-11-09T21:41:05Z", count==3, "2023-11-09T21:42:05Z")
| fields - count

These are just two examples. You can be as creative as needed.

djoobbani · ‎11-10-2023

Thank you, how would i be able to reduce the result by only displaying the row with the earliest time (time_1 field)?

Thanks!

tscroggins · ‎11-11-2023

You could just create one event instead of three, or in the example, just return the first event:

| head 1

If you're working with ISO time strings but unknown times in an unknown order, you can sort lexicographically:

| sort time_1
| head 1

If the time format is known but not necessarily in ISO format, you can convert time_1 to an epoch value using the appropriate format string (still ISO in this example) and sort the result:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| sort time_1_epoch
| head 1

If multiple events have the same time_1 value, you can use eventstats and where:

| eval time_1_epoch=strptime(time_1, "%Y-%m-%dT%H:%M:%S%Z")
| eventstats min(time_1_epoch) as min_time_1
| where time_1_epoch==min_time_1

djoobbani · ‎11-11-2023

Thank you very much for the solution!

How to create multiple events with different values using makeresults

count

stats

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...