Splunk Search

How to show multiple records value in same table row?

splunkuser320
Path Finder

I have a job that runs multiple times if it failed. I need to create a dashboard with a table that shows all the attempts with status. 

Logs

{id:"1",retrynumber:"1",uniqueid:"23213131",status:"Failed"}

{id:"1",retrynumber:"2",uniqueid:"43434333",status:"Failed"}

{id:"1",retrynumber:"3",uniqueid:"23213132",status:"Failed"}

{id:"1",retrynumber:"4",uniqueid:"23213154",status:"Passed"}

I want to have table like:

id     retry1     retry2     retry3     retry 5

1      Failed      Failed      Failed      Passed

 

Labels (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

If you have valid JSON in your logs and the fields are being extracted, then add this to the search

| eval retry{retrynumber}=status
| fields - retrynumber
| stats values(retry*) as retry* by id

yuanliu
SplunkTrust
SplunkTrust

I've never learned inline dereference with curly brackets.  Thank you, @bowesmana!

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You could also do it this way

| eval retrynumber="retry".retrynumber
| chart values(status) over id by retrynumber
Get Updates on the Splunk Community!

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...