Splunk Search

How to split a row by 2 field values

Trishant
Explorer

I have a sample data which I am trying to split over 2 fields.

For Example:

alt text

In above image we have a test case ID which has some values in Different time spans, It contains combined values form 2 different vendors let say A and B.

What I need is to split this row into 2 parts for 2 vendors one having data for A and another having data for B.???

And please tell me how to sort this span buckets. 0-3, 12-15, 15-18, 18-21, 3-6......???

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

...base search

| where build="Vendor A" OR build="Vendor B"
| sort +iteration 
| eval Test_CaseID = testId + ": " + testcase + "#" + build
| chart count(Test_CaseID) as Total_Runs over Test_CaseID by duration bins=100
| untable Test_CaseID, Time_Taken, count 
| eventstats sum(count) as Total by Test_CaseID
| eval perc=round(count*100/Total,2) 
| fields - count(Total) 
| xyseries Test_CaseID, Time_Taken, perc
| rex field=Test_CaseID "(?<Test_CaseID>[^#]+)#(?<Build>.+)"

There is no easy way to sort those dynamic columns for bins of Time Taken as they're treated as string when converted to columns.

0 Karma

Trishant
Explorer

Hi,

  1. I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI @Trishant,
Got it.

Can you share some sample event & expected output ?? So I can try to design search for you.

Thanks

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI @Trishant,

How you want to split this event between 2 vendors?? I mean if we say for span column "0-3" then how we can split value "96.00"?

And you asked about sorting of 0-3, 12-15, 15-18, 18-21, 3-6, do you want to sort sequence of these span columns??

Thanks

Trishant
Explorer

Hi,

  1. I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....
0 Karma

niketn
Legend

@Trishant, you would need to add more details. What is the field to identify VendorA and VendorB. What is your current SPL? Also can you sample some event data (after mocking/anonymizing any sensitive information)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Trishant
Explorer

Hi,

I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....

Hope this might help you in some extent...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...