Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to split a row by 2 field values

Trishant
Explorer
‎11-18-2017 08:20 AM

I have a sample data which I am trying to split over 2 fields.

For Example:

alt text

In above image we have a test case ID which has some values in Different time spans, It contains combined values form 2 different vendors let say A and B.

What I need is to split this row into 2 parts for 2 vendors one having data for A and another having data for B.???

And please tell me how to sort this span buckets. 0-3, 12-15, 15-18, 18-21, 3-6......???

Tags (1)
Preview file
1 KB
0 Karma
Reply

somesoni2
Revered Legend
‎11-20-2017 12:18 PM

Try like this

...base search

| where build="Vendor A" OR build="Vendor B"
| sort +iteration 
| eval Test_CaseID = testId + ": " + testcase + "#" + build
| chart count(Test_CaseID) as Total_Runs over Test_CaseID by duration bins=100
| untable Test_CaseID, Time_Taken, count 
| eventstats sum(count) as Total by Test_CaseID
| eval perc=round(count*100/Total,2) 
| fields - count(Total) 
| xyseries Test_CaseID, Time_Taken, perc
| rex field=Test_CaseID "(?<Test_CaseID>[^#]+)#(?<Build>.+)"

There is no easy way to sort those dynamic columns for bins of Time Taken as they're treated as string when converted to columns.

0 Karma
Reply

Trishant
Explorer
‎11-20-2017 08:32 AM

Hi,

  1. I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-20-2017 08:50 AM

HI @Trishant,
Got it.

Can you share some sample event & expected output ?? So I can try to design search for you.

Thanks

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-18-2017 06:30 PM

HI @Trishant,

How you want to split this event between 2 vendors?? I mean if we say for span column "0-3" then how we can split value "96.00"?

And you asked about sorting of 0-3, 12-15, 15-18, 18-21, 3-6, do you want to sort sequence of these span columns??

Thanks

Reply

Trishant
Explorer
‎11-20-2017 02:33 AM

Hi,

  1. I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....
0 Karma
Reply

niketn
Legend
‎11-18-2017 06:21 PM

@Trishant, you would need to add more details. What is the field to identify VendorA and VendorB. What is your current SPL? Also can you sample some event data (after mocking/anonymizing any sensitive information)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

Trishant
Explorer
‎11-20-2017 02:34 AM

Hi,

I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....

Hope this might help you in some extent...

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...