Re: Multiple records value in same table row

splunkuser320 · ‎11-22-2022

I have a job that runs multiple times if it failed. I need to create a dashboard with a table that shows all the attempts with status.

Logs

{id:"1",retrynumber:"1",uniqueid:"23213131",status:"Failed"}

{id:"1",retrynumber:"2",uniqueid:"43434333",status:"Failed"}

{id:"1",retrynumber:"3",uniqueid:"23213132",status:"Failed"}

{id:"1",retrynumber:"4",uniqueid:"23213154",status:"Passed"}

I want to have table like:

id retry1 retry2 retry3 retry 5

1 Failed Failed Failed Passed

bowesmana · ‎11-22-2022

If you have valid JSON in your logs and the fields are being extracted, then add this to the search

| eval retry{retrynumber}=status
| fields - retrynumber
| stats values(retry*) as retry* by id

yuanliu · ‎11-23-2022

I've never learned inline dereference with curly brackets. Thank you, @bowesmana!

bowesmana · ‎11-22-2022

You could also do it this way

| eval retrynumber="retry".retrynumber
| chart values(status) over id by retrynumber

How to show multiple records value in same table row?