Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create new field combined from existing...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spisiakmi
Contributor
06-26-2019
12:24 AM
Hi I have such a table in which is described the proces of any TestMachine:
A B C D
TestStart TestStatus TestDuration TestEnd
11.03.2015 14:54:32 PASS 116 11.03.2015 14:56:28
11.03.2015 14:57:10 PASS 116 11.03.2015 14:59:06
11.03.2015 14:59:58 PASS 119 11.03.2015 15:01:57
11.03.2015 15:03:21 FAIL 66 11.03.2015 15:04:27
11.03.2015 15:04:54 PASS 116 11.03.2015 15:06:50
11.03.2015 15:10:29 FAIL 185 11.03.2015 15:13:34
I need to create a table or chart, where the status of the testmachine will be displayed.
x axis: time, where will be combined columns A and D
y axis: such a binari impuls 0 to 1, where the status of the machine will be displayed
legend (status of the machine): RUN, WAIT
RUN status: is between A1 and D1
WAIT status: is between D1 and A2
here is an example, what I need: https://ibb.co/M6bcWnh
the events are sorted from the oldiest event
Can you help me, please?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spisiakmi
Contributor
09-09-2019
07:01 AM
I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"
To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".
After that I created 3 new fields from the 3 previous multivalue fields
| makemv tokenizer="([^,]+),?" final_time
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final_time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spisiakmi
Contributor
09-09-2019
07:01 AM
I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"
To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".
After that I created 3 new fields from the 3 previous multivalue fields
| makemv tokenizer="([^,]+),?" final_time
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final_time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
06-26-2019
10:20 AM
can you elaborate a little?
what does it mean: "x axis: time, where will be combined columns A and D"
what kind of combination?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spisiakmi
Contributor
06-27-2019
12:25 AM
Hi adonio. Sorry for not such a clear explenation and thank you for your message. I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"
To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".
After that I created 3 new fields from the 3 previous multivalue fields
| makemv tokenizer="([^,]+),?" final_time
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final_time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait
Get Updates on the Splunk Community!
Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Observability Professionals: Build Resilience and Visibility with These .conf25 ...
If you're focused on performance, availability, and full-stack visibility, the Observability track at ...
See just what you’ve been missing | Observability tracks at Splunk University
Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...
