Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to separate values in a column into two columns in my resulting table?

prashanthberam
Explorer
‎12-14-2016 01:38 PM

I have the table like this:

time           info    id     response time
start time1    in      571          
end time1      out     571    10.01
start time2    in      560               
end time2      out     560    11.01

but I want to display it like this:

starttime1     end time1     id     responsetime
starttime2     end time2     id     responsetime

My search is like this:

index=**** source="*****_****"   "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Outbound Message" OR "Inbound Message" |rex "(?.{23})"|rex field=_raw "INFO  :(?.*)"|rex field=_raw "ID:(?.*)"|sort _time|streamstats current=f last(_time) as LastTime by ID,source|eval ResponseTime=_time-LastTime|sort -ID|table Time,INFO,ID,ResponseTime

I have attached the table pic too.
alt text
Can anybody help please? Thanks in advance.

Preview file
34 KB
0 Karma
Reply

sundareshr
Legend
‎12-14-2016 04:18 PM

Try this

index=**** source="*****_****"   "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Outbound Message" OR "Inbound Message" | rex "(?<info>Inbound|Outbound)" | rex "ID:(?<id>.*)" | chart earliest(_time) as time over id by info | eval responsetime=outbound-inbound | eval responsetime=tostring(responsetime, "duration") | convert ctime(*bound) AS *bound
0 Karma
Reply

prashanthberam
Explorer
‎12-14-2016 05:52 PM

Thanks sundar..it looks somewhat working but I have duplicates in the id's but when am searching the different sources I can achieve that cloud you please tell me where I can include source in my code.

0 Karma
Reply

sundareshr
Legend
‎12-15-2016 03:07 AM

What do you mean "duplicates in the id"? Try adding this before the chart segment. | eval id=source."::".id

0 Karma
Reply

snoobzilla
Builder
‎12-14-2016 01:50 PM 
| eval starttime=if(INFO="Inbound Message", Time, null())
| eval endtime=if(INFO="Outbound Message", Time, null()
| stats values(starttime) AS starttime values(endtime) AS endtime values(ResponseTime) by ID

Above should get you close.

0 Karma
Reply

prashanthberam
Explorer
‎12-14-2016 05:53 PM

yes ...they have duplicates id's

0 Karma
Reply

prashanthberam
Explorer
‎12-14-2016 02:14 PM

am not getting any results in the Time field..

0 Karma
Reply

snoobzilla
Builder
‎12-14-2016 03:27 PM

You had a Time field in the table, was assuming you would append what I posted onto your query.

Are the IDs unique or do they repeat? Whats max response time? How many events would you search over... if only a few thousand transaction could be a good fit.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...