Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the on time and off time over a category with place

SathyaNarayanan
Path Finder
‎09-03-2019 01:15 AM

Hi Splukers,

@niketnilay

I have table with 4 fields. I created the status with eval command with 

index=XXX sourcetype=XXX  
| search (PLSO=false AND PLSA=true) OR (PLSO=true AND PLSA=false) 
| eval Status = if(PLSO=="false","ON","OFF")
| table _time Place Type Status

_time Place Type Status
2019-09-03 00:00:33 ABC 1 OFF
2019-09-03 00:01:51 ABC 2 ON
2019-09-03 02:34:21 ABC 3 OFF
2019-09-03 02:43:06 ABC 1 ON
2019-09-03 02:47:51 ABC 2 OFF
2019-09-03 02:49:51 ABC 2 ON
2019-09-03 03:00:51 ABC 3 ON
2019-09-03 03:57:53 ABC 3 OFF
2019-09-03 04:10:53 ABC 1 OFF

Now i need the result as

Place type1-On:time type1-Off Time type2 -On:time type2 Off Time type3 On:time type3 Off Time
ABC 02:43:06 04:10:53 00:01:51 02:47:51 03:00:51 03:57:53

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎09-03-2019 06:29 AM

@SathyaNarayanan ,

Try

 index=XXX sourcetype=XXX  
| search (PLSO=false AND PLSA=true) OR (PLSO=true AND PLSA=false) 
| eval Status = if(PLSO=="false","ON","OFF")
| table _time Place Type Status
| sort _time     
| stats last(_time) as _time  by Type,Status,Place
| eval tmp="Type".Type."-".Status.":time"
| chart values(_time) as _time over Place by tmp

Updated as per comments:

  index=XXX sourcetype=XXX  
 | search (PLSO=false AND PLSA=true) OR (PLSO=true AND PLSA=false) 
 | eval Status = if(PLSO=="false","ON","OFF")
 | table _time Place Type Status
 | eval tmp=TYPE."_".Status."_"."Time"|streamstats count as group by Place,tmp
 | eval {tmp}=_time|stats values(*) as * by Place,group|fields - tmp,_time,group,Status,TYPE
Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎09-05-2019 02:40 AM

Try this:

index=XXX sourcetype=XXX  
| search (PLSO=false AND PLSA=true) OR (PLSO=true AND PLSA=false) 
| eval Status = if(PLSO=="false","ON","OFF")
| table _time Place Type Status
| eval column = "type".Type."-".Status.":time"
| xyseries Place column _time
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎09-03-2019 06:29 AM

@SathyaNarayanan ,

Try

 index=XXX sourcetype=XXX  
| search (PLSO=false AND PLSA=true) OR (PLSO=true AND PLSA=false) 
| eval Status = if(PLSO=="false","ON","OFF")
| table _time Place Type Status
| sort _time     
| stats last(_time) as _time  by Type,Status,Place
| eval tmp="Type".Type."-".Status.":time"
| chart values(_time) as _time over Place by tmp

Updated as per comments:

  index=XXX sourcetype=XXX  
 | search (PLSO=false AND PLSA=true) OR (PLSO=true AND PLSA=false) 
 | eval Status = if(PLSO=="false","ON","OFF")
 | table _time Place Type Status
 | eval tmp=TYPE."_".Status."_"."Time"|streamstats count as group by Place,tmp
 | eval {tmp}=_time|stats values(*) as * by Place,group|fields - tmp,_time,group,Status,TYPE
Happy Splunking!
Reply
Solved! Jump to solution

renjith_nair
Legend
‎09-03-2019 11:01 PM

@SathyaNarayanan ,
As per your sample data and output in the question, it takes the latest time. Please provide the expected based on your sample data, for e.g. Type1 has two "OFF" records . How do you want to represent that?

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

SathyaNarayanan
Path Finder
‎09-04-2019 04:06 AM

@renjith.nair

i modified the query and got the below results.

_time   Status  Place   TYPE
 5:47:27    ON  A01 P_1
9:30    OFF A01 P_1
13:00   ON  A01 P_1
21:51   OFF A01 P_1
5:48    OFF A01 P_2
5:49    ON  A01 P_2
 3:33:38    ON  A02 P_1
12:35   ON  A02 P_1
 6:21:46    ON  A02 P_1
15:38   OFF A02 P_2
9:04    OFF A02 P_3

Now my final output should be below 

Place   P_1_ON_Time P_1_OFF_Time    P_2_ON_Time P_2_OFF_Time    P_3_ON_Time P_3_OFF_Time
A01 03/09/2019 5:47 03/09/2019 9:30 03/09/2019 5:49 03/09/2019 9:47     
A01 03/09/2019 13:00    03/09/2019 21:51                
A02 03/09/2019 3:33 03/09/2019 9:43 03/09/2019 3:37 03/09/2019 15:38        
A02 03/09/2019 12:35    03/09/2019 16:06                
A02                 03/09/2019 3:33 03/09/2019 9:04
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎09-04-2019 04:35 AM

@SathyaNarayanan ,
Try

"your search"
|eval tmp=TYPE."_".Status."_"."Time"|table Place,tmp,_time
|eval {tmp}=_time|fields - tmp,_time|fillnull value="-"
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

SathyaNarayanan
Path Finder
‎09-04-2019 11:40 PM

@renjith.nair.

I tried your query, the reuslts are coming but i want this in single line.

Below was the ouput came from your query.

The output came in each lines.

Place   PLB_1_ON__time  PLB_1_OFF__time PLB_2_ON__time  PLB_2_OFF__time PLB_3_ON__time  PLB_3_OFF__time
A01 5:47 AM                  
A01                               9:30 AM                
A01  1:00 PM                     
A01                                  9:51 PM                 
A01                                                                  5:49 AM             
A01                                                                                                 9:47 AM      
A01                                                                  1:02 PM             
A02 3:33 AM                  
A02                              9:43 AM                 
A02 12:35 PM                     
A02                                    4:06 PM               
A02 6:21 PM                  
A02                                                                    3:37 AM           
A02                                                                                               3:38 PM        
A02                                                                    6:25 PM           
A02                                                                                                                         3:33 AM  
A02                                                                                                                                                          9:04 AM
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎09-04-2019 11:56 PM

@SathyaNarayanan ,

Alright, I thought you want like a matrix,

Below should work for you

|eval tmp=TYPE."_".Status."_"."Time"|streamstats count as group by Place,tmp
|eval {tmp}=_time|stats values(*) as * by Place,group|fields - tmp,_time,group,Status,TYPE
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

SathyaNarayanan
Path Finder
‎09-05-2019 02:17 AM

Also can u explain wat happen when u use | eval {tmp}=_time in it ?

0 Karma
Reply
Solved! Jump to solution

SathyaNarayanan
Path Finder
‎09-05-2019 02:49 AM

WOW @renjith.nair

It worked for me, thank u very much.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎09-05-2019 03:36 AM

@SathyaNarayanan ,
Glad it worked. I will update as answer, please accept it .

eval {tmp}=_time - value of _tmp is used as the fieldname for _time.

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Eval#Field_names

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

SathyaNarayanan
Path Finder
‎09-03-2019 09:27 AM

@renjith.nair

when we do | stats last(_time) it takes the last on and off time per place. in my scenario. I might have many one and off.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...