Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to split a row by 2 field values

Trishant
Explorer
‎11-18-2017 08:20 AM

I have a sample data which I am trying to split over 2 fields.

For Example:

alt text

In above image we have a test case ID which has some values in Different time spans, It contains combined values form 2 different vendors let say A and B.

What I need is to split this row into 2 parts for 2 vendors one having data for A and another having data for B.???

And please tell me how to sort this span buckets. 0-3, 12-15, 15-18, 18-21, 3-6......???

Tags (1)
Preview file
10 KB
0 Karma
Reply

somesoni2
Revered Legend
‎11-20-2017 12:18 PM

Try like this

...base search

| where build="Vendor A" OR build="Vendor B"
| sort +iteration 
| eval Test_CaseID = testId + ": " + testcase + "#" + build
| chart count(Test_CaseID) as Total_Runs over Test_CaseID by duration bins=100
| untable Test_CaseID, Time_Taken, count 
| eventstats sum(count) as Total by Test_CaseID
| eval perc=round(count*100/Total,2) 
| fields - count(Total) 
| xyseries Test_CaseID, Time_Taken, perc
| rex field=Test_CaseID "(?<Test_CaseID>[^#]+)#(?<Build>.+)"

There is no easy way to sort those dynamic columns for bins of Time Taken as they're treated as string when converted to columns.

0 Karma
Reply

Trishant
Explorer
‎11-20-2017 08:32 AM

Hi,

  1. I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-20-2017 08:50 AM

HI @Trishant,
Got it.

Can you share some sample event & expected output ?? So I can try to design search for you.

Thanks

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-18-2017 06:30 PM

HI @Trishant,

How you want to split this event between 2 vendors?? I mean if we say for span column "0-3" then how we can split value "96.00"?

And you asked about sorting of 0-3, 12-15, 15-18, 18-21, 3-6, do you want to sort sequence of these span columns??

Thanks

Reply

Trishant
Explorer
‎11-20-2017 02:33 AM

Hi,

  1. I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....
0 Karma
Reply

niketn
Legend
‎11-18-2017 06:21 PM

@Trishant, you would need to add more details. What is the field to identify VendorA and VendorB. What is your current SPL? Also can you sample some event data (after mocking/anonymizing any sensitive information)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

Trishant
Explorer
‎11-20-2017 02:34 AM

Hi,

I have used below search to get this view

sort +iteration | eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken | where (Build= "Vendor A" OR Build= "Vendor B") |
chart count(Test_CaseID) as Total_Runs over Test_CaseID by Time_Taken bins=100|
untable Test_CaseID, Time_Taken, count |
eventstats sum(count) as Total by Test_CaseID|
eval perc=round(count*100/Total,2) | fields - count(Total) |
xyseries Test_CaseID, Time_Taken, perc|

so this 96.00 is coming from Vendor A + Vendor B
what I want is 2 rows with same Test_CaseID(1 for A and another for B)

  1. Yes, I want to sort sequence of these span columns like 0-3, 3-6, 6-9, 9-12.....

Hope this might help you in some extent...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...