Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my transaction search to display the timestamp for each row in my table?

sridharreddy
New Member
‎08-08-2016 02:38 PM

Hi Somesh,

How
My search:

transaction part| timechart values(duration) as duration,values(rollno) as rollno

Result:

_time                   duration     rollno
2016-08-07 21:13:00     10.07        1
                        9.56         2
                        7.35         3
                        12.32        4

I need output in below format:

_time                   duration     rollno
2016-08-07 21:13:00     10.07        1
2016-08-07 21:13:00     9.56         2
2016-08-07 21:13:00     7.35         3
2016-08-07 21:13:00     12.32        4

thanks

0 Karma
Reply

acharlieh
Influencer
‎08-08-2016 03:33 PM

Your first example seems to be 1 event, with two multi-valued fields, and your desired result seems to be 4 events with single valued fields.

Out of curiosity, what benefit is the timechart command giving you and what does the data look like coming out of the transaction command? If the goal is to bin events together based on time and each transaction is producing a duration and rollno then you might be interested in the bin command instead like so:

transaction part | bin bins=100 _time | table _time duration rollno

If you want exact time (per transaction) you could even just omit the bin command. Now you could also leverage a combination of eval using mvzip and mvexpand.

transaction part | timechart values(duration) as duration,values(rollno) as rollno | eval key = mvzip(duration,rollno,":") | mvexpand key | rex field=key "^(?<duration>[^:]*):(?<rollno>.*)$" | table _time duration rollno

The problem with this one (in addition to the possible syntax errors, as I'm doing this off the top of my head without throwing into a splunk instance right now), involves the implication that the first duration corresponds with the first rollno. The values stats function you're using in the timechart only cares about uniqueness of values and doesn't necessarily preserve order at all. Even using list(X) which preserves order and keeps all values (no guaranteed uniqueness), you're making implications about the Nth values correspond with each other, depending on your data could be problematic, but the first possible solution may even be easier than this.

Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...