Splunk Search

How to create new field combined from existing fields

Communicator

Hi I have such a table in which is described the proces of any TestMachine:
A B C D
TestStart TestStatus TestDuration TestEnd
11.03.2015 14:54:32 PASS 116 11.03.2015 14:56:28
11.03.2015 14:57:10 PASS 116 11.03.2015 14:59:06
11.03.2015 14:59:58 PASS 119 11.03.2015 15:01:57
11.03.2015 15:03:21 FAIL 66 11.03.2015 15:04:27
11.03.2015 15:04:54 PASS 116 11.03.2015 15:06:50
11.03.2015 15:10:29 FAIL 185 11.03.2015 15:13:34

I need to create a table or chart, where the status of the testmachine will be displayed.
x axis: time, where will be combined columns A and D
y axis: such a binari impuls 0 to 1, where the status of the machine will be displayed
legend (status of the machine): RUN, WAIT
RUN status: is between A1 and D1
WAIT status: is between D1 and A2

here is an example, what I need: https://ibb.co/M6bcWnh

the events are sorted from the oldiest event

Can you help me, please?

0 Karma
1 Solution

Communicator

I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"

To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".

After that I created 3 new fields from the 3 previous multivalue fields

| makemv tokenizer="([^,]+),?" finaltime
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final
time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait

View solution in original post

0 Karma

Communicator

I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"

To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".

After that I created 3 new fields from the 3 previous multivalue fields

| makemv tokenizer="([^,]+),?" finaltime
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final
time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

can you elaborate a little?
what does it mean: "x axis: time, where will be combined columns A and D"
what kind of combination?

0 Karma

Communicator

Hi adonio. Sorry for not such a clear explenation and thank you for your message. I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"

To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".

After that I created 3 new fields from the 3 previous multivalue fields

| makemv tokenizer="([^,]+),?" finaltime
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final
time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait