Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to split a row by 2 field values

Trishant
Explorer
‎11-18-2017 08:20 AM

I have a sample data which I am trying to split over 2 fields.

For Example:

alt text

In above image we have a test case ID which has some values in Different time spans, It contains combined values form 2 different vendors let say A and B.

What I need is to split this row into 2 parts for 2 vendors one having data for A and another having data for B.???

And please tell me how to sort this span buckets. 0-3, 12-15, 15-18, 18-21, 3-6......???

Tags (1)
Preview file
1 KB
0 Karma
Reply

somesoni2
Revered Legend
‎11-20-2017 12:18 PM

Try like this

...base search

| where build="Vendor A" OR build="Vendor B"
| sort +iteration 
| eval Test_CaseID = testId + ": " + testcase + "#" + build
| chart count(Test_CaseID) as Total_Runs over Test_CaseID by duration bins=100
| untable Test_CaseID, Time_Taken, count 
| eventstats sum(count) as Total by Test_CaseID
| eval perc=round(count*100/Total,2) 
| fields - count(Total) 
| xyseries Test_CaseID, Time_Taken, perc
| rex field=Test_CaseID "(?<Test_CaseID>[^#]+)#(?<Build>.+)"

There is no easy way to sort those dynamic columns for bins of Time Taken as they're treated as string when converted to columns.

0 Karma
Reply

Trishant
Explorer
‎11-20-2017 08:32 AM

Hi,

  1. I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-20-2017 08:50 AM

HI @Trishant,
Got it.

Can you share some sample event & expected output ?? So I can try to design search for you.

Thanks

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-18-2017 06:30 PM

HI @Trishant,

How you want to split this event between 2 vendors?? I mean if we say for span column "0-3" then how we can split value "96.00"?

And you asked about sorting of 0-3, 12-15, 15-18, 18-21, 3-6, do you want to sort sequence of these span columns??

Thanks

Reply

Trishant
Explorer
‎11-20-2017 02:33 AM

Hi,

  1. I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....
0 Karma
Reply

niketn
Legend
‎11-18-2017 06:21 PM

@Trishant, you would need to add more details. What is the field to identify VendorA and VendorB. What is your current SPL? Also can you sample some event data (after mocking/anonymizing any sensitive information)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

Trishant
Explorer
‎11-20-2017 02:34 AM

Hi,

I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....

Hope this might help you in some extent...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...