Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to transpose data field (in column) to header field?

rflouquet
Explorer
‎05-19-2017 08:35 AM

Hello,

I'm trying to get this table :

Device ----- Interface ----- March ----- April ----- .....

device1 ----- interface1 ----- LoaddurationM1 ----- LoaddurationA1 ----- .....

device2 ----- interface2 ----- LoaddurationM2 ----- LoaddurationA2 ----- .....

But after running my search I'm getting the table :

Month ----- Device----- Interface----- Load Duration
March----- device1 ----- interface1----- LoaddurationM1
April----- device1 ----- interface1----- LoaddurationA1
April----- device2 ----- interface2----- LoaddurationA2
March----- device2 ----- interface2 ----- LoaddurationM2

I tried the "transpose" command but nothing works.

My search is the next one : 

sourcetype=csv Device=*
| eval LD=if(Bits_out_sec>Bandwidth*0.8, Duration, 0)
|stats sum(Duration) AS TotalDuration sum(LD) AS TotalLD BY date_month, Device, Interface
|eval "Load Duration"=round(TotalLD/TotalDuration*100,2)
|table date_month, Device, Interface, "Load Duration"

If you have any idea it would be great.

Thanks a lot,

Romain

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-19-2017 03:26 PM

Try this:

sourcetype=csv Device=*
| eval LD=if(Bits_out_sec>Bandwidth*0.8, Duration, 0)
| stats sum(Duration) AS TotalDuration sum(LD) AS TotalLD BY date_month, Device, Interface
| eval "Load Duration"=round(TotalLD/TotalDuration*100,2)
| eval Device_Interface = Device . ":::" . Interface
| fields - Device Interface
| xyseries Device_Interface date_month "Load Duration"
| rex field=Device_Interface "^(?<Device>.*?):::(?<Interface>.*)$"
| fields - Device_Interface
| table Device Interface *

You will now probably care about the ordering of the months along the top, for that, see my (should-be-accepted-but-unfortunately-hasn't-been) answer on this Q&A:

https://answers.splunk.com/answers/522959/cannot-sort-dynamic-column-in-date-format.html

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-19-2017 03:26 PM

Try this:

sourcetype=csv Device=*
| eval LD=if(Bits_out_sec>Bandwidth*0.8, Duration, 0)
| stats sum(Duration) AS TotalDuration sum(LD) AS TotalLD BY date_month, Device, Interface
| eval "Load Duration"=round(TotalLD/TotalDuration*100,2)
| eval Device_Interface = Device . ":::" . Interface
| fields - Device Interface
| xyseries Device_Interface date_month "Load Duration"
| rex field=Device_Interface "^(?<Device>.*?):::(?<Interface>.*)$"
| fields - Device_Interface
| table Device Interface *

You will now probably care about the ordering of the months along the top, for that, see my (should-be-accepted-but-unfortunately-hasn't-been) answer on this Q&A:

https://answers.splunk.com/answers/522959/cannot-sort-dynamic-column-in-date-format.html

0 Karma
Reply
Solved! Jump to solution

rflouquet
Explorer
‎05-22-2017 01:23 AM

Thanks a lot @woodcock, It work !

I'm looking att your "should-be-accepted...........answer" too !

Thanks

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-22-2017 08:54 AM

If any answer over there helps, be sure to up-vote.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎05-19-2017 08:55 AM

try this:

sourcetype=csv Device=*
 | eval LD=if(Bits_out_sec>Bandwidth*0.8, Duration, 0)
 |stats sum(Duration) AS TotalDuration sum(LD) AS TotalLD BY date_month, Device, Interface
|eval deviceInterface=Device+" - "+Interface
|eval "LoadDuration"=round(TotalLD/TotalDuration*100,2)
|chart values(LoadDuration) as LoadDuration by deviceInterface
|makemv deviceInterface delim=" - "
|eval Interface=mvindex(deviceInterface ,1)
|eval Device=mvindex(deviceInterface ,0)
|fields - deviceInterface
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...