Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create new field based on table values?

satish
Explorer
‎04-12-2023 01:49 AM

Dear Experts..
Looking for help with a Splunk Query...
I was working on a Splunk Query to identify the Frames connection to the HMC.. Im able to find the HMC's the frame is connected.. If a frame is connected with 2 hmc the active_hmc field will contain both hmc's separated by "_ "
Incase the frame is connected with single HMC.. active_hmc contains only one HMC name..
I would like to create a new field that would contain the actual HMC pair name for each frame..
For the single HMC active frames, I would like to generate the HMC pair data by searching inside the entire table to see if there is a match..

For Example:
==============
if the field value active_hmc=hmc50.. The same field also will have some frames connected wirh 2 hmcs like active_hmc=hmc49_hmc50.

Would like to find that pairs and create a new field hmc_pair in the table with values hmc_pair=hmc49_hmc50.

Could you help me with the query.

Splunk query:
==================
index=aix_os source=hmc
| spath path=hmc_info{} output=LIST
| mvexpand LIST
| spath input=LIST
| where category == "power_frame"
| dedup hmc_name frame_name
| stats values(hmc_name) as hmc_names dc(hmc_name) as hmc_count by frame_serial, frame_name, datacenter
| eval active_hmc=mvjoin(mvsort(hmc_names), "_")
| eval hmc_pair=mvjoin(mvsort(hmc_names), "_")
| eval hmc_redundancy=if(hmc_count=2, if(match(active_hmc, "^([^_]+)_([^_]+)$") AND mvcount(mvdedup(hmc_names))=2, "OK", "missing"), "NOT-OK")
| table active_hmc frame_name, frame_serial,hmc_redundancy, datacenter
| sort +hmc_redundancy

 

Thanks

Labels (4)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-12-2023 02:45 AM

Try something like this

index=aix_os source=hmc
| spath path=hmc_info{} output=LIST
| mvexpand LIST
| spath input=LIST
| where category == "power_frame"
| dedup hmc_name frame_name
| stats values(hmc_name) as hmc_names dc(hmc_name) as hmc_count by frame_serial frame_name datacenter
| eval hmc_name = hmc_names
| mvexpand hmc_name
| eventstats values(hmc_names) as hmc_pairs by hmc_name
| eval active_hmc=mvjoin(mvsort(hmc_names), "_")
| eval hmc_pair=mvjoin(mvsort(hmc_names), "_")
| eval hmc_redundancy=if(hmc_count=2, if(match(active_hmc, "^([^_]+)_([^_]+)$") AND mvcount(mvdedup(hmc_names))=2, "OK", "missing"), "NOT-OK")
| table active_hmc hmc_pairs frame_name, frame_serial,hmc_redundancy, datacenter
| sort +hmc_redundancy

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-12-2023 02:45 AM

Try something like this

index=aix_os source=hmc
| spath path=hmc_info{} output=LIST
| mvexpand LIST
| spath input=LIST
| where category == "power_frame"
| dedup hmc_name frame_name
| stats values(hmc_name) as hmc_names dc(hmc_name) as hmc_count by frame_serial frame_name datacenter
| eval hmc_name = hmc_names
| mvexpand hmc_name
| eventstats values(hmc_names) as hmc_pairs by hmc_name
| eval active_hmc=mvjoin(mvsort(hmc_names), "_")
| eval hmc_pair=mvjoin(mvsort(hmc_names), "_")
| eval hmc_redundancy=if(hmc_count=2, if(match(active_hmc, "^([^_]+)_([^_]+)$") AND mvcount(mvdedup(hmc_names))=2, "OK", "missing"), "NOT-OK")
| table active_hmc hmc_pairs frame_name, frame_serial,hmc_redundancy, datacenter
| sort +hmc_redundancy
Reply
Solved! Jump to solution

satish
Explorer
‎04-12-2023 03:11 AM

@ITWhisperer 

 

Many thanks for your solution.  The solution worked for me. 

 

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎04-12-2023 02:43 AM

Hi @satish,

I can see on your query that active_hmc and hmc_pair both have the same values. Could you please show us the current output of your query (anonymized) as a sample and your desired output? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

satish
Explorer
‎04-12-2023 03:17 AM

Hi @scelikok 

Below are the example output details.  The solution provided by @ITWhisperer appears to be working. 

Current Output: 
active_hmc   frame_name frame_serial hmc_redundancy datacenter
hcm5   POWER01    123456         NOT-OK        NYC
hcm5_hmc6  POWER02    876344         OK            NYC
 
 
Expected Output: 
active_hmc hmc_pair    frame_name frame_serial hmc_redundancy datacenter
hcm5   hcm5_hcm6     POWER01    123456         NOT-OK        NYC
hcm5_hmc6  hcm5_hmc6     POWER02    876344         OK            NYC

Thank you both for your quick help and support. 

 

 

 
0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...