Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create new field combined from existing fields

spisiakmi
Communicator
‎06-26-2019 12:24 AM

Hi I have such a table in which is described the proces of any TestMachine:
A B C D
TestStart TestStatus TestDuration TestEnd
11.03.2015 14:54:32 PASS 116 11.03.2015 14:56:28
11.03.2015 14:57:10 PASS 116 11.03.2015 14:59:06
11.03.2015 14:59:58 PASS 119 11.03.2015 15:01:57
11.03.2015 15:03:21 FAIL 66 11.03.2015 15:04:27
11.03.2015 15:04:54 PASS 116 11.03.2015 15:06:50
11.03.2015 15:10:29 FAIL 185 11.03.2015 15:13:34

I need to create a table or chart, where the status of the testmachine will be displayed.
x axis: time, where will be combined columns A and D
y axis: such a binari impuls 0 to 1, where the status of the machine will be displayed
legend (status of the machine): RUN, WAIT
RUN status: is between A1 and D1
WAIT status: is between D1 and A2

here is an example, what I need: https://ibb.co/M6bcWnh

the events are sorted from the oldiest event

Can you help me, please?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

spisiakmi
Communicator
‎09-09-2019 07:01 AM

I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"

To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".

After that I created 3 new fields from the 3 previous multivalue fields

| makemv tokenizer="([^,]+),?" final_time
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final_time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

spisiakmi
Communicator
‎09-09-2019 07:01 AM

I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"

To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".

After that I created 3 new fields from the 3 previous multivalue fields

| makemv tokenizer="([^,]+),?" final_time
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final_time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎06-26-2019 10:20 AM

can you elaborate a little?
what does it mean: "x axis: time, where will be combined columns A and D"
what kind of combination?

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎06-27-2019 12:25 AM

Hi adonio. Sorry for not such a clear explenation and thank you for your message. I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"

To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".

After that I created 3 new fields from the 3 previous multivalue fields

| makemv tokenizer="([^,]+),?" final_time
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final_time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...