I have a sample data which I am trying to split over 2 fields.
For Example:
In above image we have a test case ID which has some values in Different time spans, It contains combined values form 2 different vendors let say A and B.
What I need is to split this row into 2 parts for 2 vendors one having data for A and another having data for B.???
And please tell me how to sort this span buckets. 0-3, 12-15, 15-18, 18-21, 3-6......???
Try like this
...base search
| where build="Vendor A" OR build="Vendor B"
| sort +iteration
| eval Test_CaseID = testId + ": " + testcase + "#" + build
| chart count(Test_CaseID) as Total_Runs over Test_CaseID by duration bins=100
| untable Test_CaseID, Time_Taken, count
| eventstats sum(count) as Total by Test_CaseID
| eval perc=round(count*100/Total,2)
| fields - count(Total)
| xyseries Test_CaseID, Time_Taken, perc
| rex field=Test_CaseID "(?<Test_CaseID>[^#]+)#(?<Build>.+)"
There is no easy way to sort those dynamic columns for bins of Time Taken as they're treated as string when converted to columns.
Hi,
sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|
so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)
HI @Trishant,
Got it.
Can you share some sample event & expected output ?? So I can try to design search for you.
Thanks
HI @Trishant,
How you want to split this event between 2 vendors?? I mean if we say for span column "0-3
" then how we can split value "96.00
"?
And you asked about sorting of 0-3, 12-15, 15-18, 18-21, 3-6
, do you want to sort sequence of these span columns??
Thanks
Hi,
sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|
so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)
@Trishant, you would need to add more details. What is the field to identify VendorA and VendorB. What is your current SPL? Also can you sample some event data (after mocking/anonymizing any sensitive information)?
Hi,
I have used below search to get this view
sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|
so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)
Hope this might help you in some extent...