Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to divide each line and data row?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
htramtran83
Explorer
09-16-2019
10:53 AM
ServiceTitle KPITitle kpis_key
SmartCas ServiceHealthScore SHKPI-17c3399b-d559-4e91
CPU Utilization: % 793faace-3431-4d54-a54c-f07fbb520425
IOWait % 9e984025-b4ba-43c1-a165
Storage Operations: Latency 3d063082-9fe2-48f4
GC-Major Collection Time Spent Per Min : 33a4d376ed6e7d5aa0be31b1
The search I run is :
| inputlookup service_kpi_lookup| rename title as ServiceTitle kpis.title as KPITitle
| fields ServiceTitle, KPITitle, kpis_key
How can I run each of line of service name is same row of KPI title and kpi key (it doesn't matter if duplicate)
thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
htramtran83
Explorer
09-18-2019
07:28 AM
I have my own answer,
I used the query with mvzip and mvindex:
my search
| eval kpis_info = mvzip(mvzip(mvzip(kpis_key, kpis_base_search, "==@@=="), kpis_search_type, "==@@=="), kpis_title, "==@@==")
| mvexpand kpis_info
| eval kpis_info=split(kpis_info, "==@@==")
| eval kpis_base_search=mvindex(kpis_info, 1)
| eval kpis_key=mvindex(kpis_info,0)
| eval kpis_title=mvindex(kpis_info,3)
| eval kpis_search_type=mvindex(kpis_info,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
htramtran83
Explorer
09-18-2019
07:28 AM
I have my own answer,
I used the query with mvzip and mvindex:
my search
| eval kpis_info = mvzip(mvzip(mvzip(kpis_key, kpis_base_search, "==@@=="), kpis_search_type, "==@@=="), kpis_title, "==@@==")
| mvexpand kpis_info
| eval kpis_info=split(kpis_info, "==@@==")
| eval kpis_base_search=mvindex(kpis_info, 1)
| eval kpis_key=mvindex(kpis_info,0)
| eval kpis_title=mvindex(kpis_info,3)
| eval kpis_search_type=mvindex(kpis_info,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
09-17-2019
11:11 AM
Please share the format of your CSV file.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
09-16-2019
12:58 PM
Try
| inputlookup service_kpi_lookup| rename title as ServiceTitle kpis.title as KPITitle
| filldown ServiceTitle
| fields ServiceTitle, KPITitle, kpis_key
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
htramtran83
Explorer
09-16-2019
01:52 PM
hi,
thank you for your answer.
It doesn't work unfortunately. The result is the same with the full list of KPITilte and one line of ServiceTitle.
I also try something with mvzip and mvindex, I return with wrong code.
| inputlookup service_kpi_lookup
| eval field=mvzip(mvzip(kpis._key,kpis.tilte),sec_grp)
| stats count by title field
| eval kpis_key=mvindex(split(field,","),0), KPITitle=mvindex(split(field,",")1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
htramtran83
Explorer
09-18-2019
07:29 AM
I have my own solution with :
my search...
| eval kpis_info = mvzip(mvzip(mvzip(kpis_key, kpis_base_search, "==@@=="), kpis_search_type, "==@@=="), kpis_title, "==@@==")
| mvexpand kpis_info
| eval kpis_info=split(kpis_info, "==@@==")
| eval kpis_base_search=mvindex(kpis_info, 1)
| eval kpis_key=mvindex(kpis_info,0)
| eval kpis_title=mvindex(kpis_info,3)
| eval kpis_search_type=mvindex(kpis_info,2)
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
