Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to transform a table

i111040d
New Member
‎06-22-2016 07:55 PM

I have this table:

_time,id,src,dst
9:00,x,A,B
9:01,x,B,C
9:02,y,C,B
9:03,z,B,C
9:04,y,B,A
9:05,z,C,D

I wanna create this table:

_time,id,A-B,B-C,C-D
9:00,x,9:00,9:01,
9:02,y,9:04,9:02,
9:03,z,,9:03,9:05

How can I transform the table?

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎06-23-2016 07:54 AM

Try this

your current search giving _time id src dst | eval temp=src."-".dst."#".strftime(_time,"%H:%M")
| stats first(_time) as _time values(temp) as temp by id 
| mvexpand temp | rex field=temp "(?<direction>.+)#(?<time>.+)"
| eval temp=_time."#".id | chart values(time) over temp by direction | rex field=temp "(?<_time>.+)#(?<id>.+)" | fields - temp

Update#1
Thanks @woodcock for clarifying the requirement. This should take care of normalization as well.

 your current search giving _time id src dst | eval Nodes=mvsort(split(src."-".dst,"-")) | eval temp=mvindex(Nodes,0)."-".mvindex(Nodes,1)."#"._time | stats first(_time) as _time values(temp) as temp by id 
 | mvexpand temp | rex field=temp "(?<direction>.+)#(?<time>.+)"  | eval temp=_time."#".id | chart values(time) over temp by direction | rex field=temp "(?<_time>.+)#(?<id>.+)" | fields - temp| table _time id *
0 Karma
Reply

woodcock
Esteemed Legend
‎06-23-2016 08:17 AM

Yours does not normalize B-A to be A-B so the results are wrong:

_time   id  A-B B-A B-C C-B C-D
9:00    x   9:00        9:01         
9:02    y       9:04        9:02     
9:03    z           9:03        9:05

Also, you must change strftime(_time, "%H,%M") to just _time. Use this to spoof test events:

|noop|stats count AS trash|eval trash="9:00,x,A,B::9:01,x,B,C::9:02,y,C,B::9:03,z,B,C::9:04,y,B,A::9:05,z,C,D"
|makemv delim="::" trash|mvexpand trash
| rex field=trash "(?<_time>.*?),(?<id>.*?),(?<src>.*?),(?<dst>.*)" | table _time id src dst
| rename DesiredResults AS "
_time,id,A-B,B-C,C-D
9:00,x,9:00,9:01,
9:02,y,9:04,9:02,
9:03,z,,9:03,9:05"
Reply

somesoni2
Revered Legend
‎06-23-2016 08:35 AM

Not sure if that was the requirement (normalization). Would agree on strftime change if event though the field name is _time, use is storing string formatted time in it.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-23-2016 08:38 AM

Normalization is specified in the desired results given.

0 Karma
Reply

somesoni2
Revered Legend
‎06-23-2016 08:54 AM

I did miss that. The answer updated to take care of both.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-22-2016 08:30 PM

Add this:

| rex field=_time mode=sed "s/://"
| eval transition = src . "-" . dst . "::" . dst . "-" . src | fields - src dst
| makemv delim="::" transition | mvexpand transition
| stats values(transition) AS transition BY _time id | eval transition = mvindex(transition, 0)
| chart first(_time) AS _time BY id transition
| eval time="9999" | foreach * [ eval time = min(time, $<<FIELD>>$) | rex field="<<FIELD>>" mode=sed "s/(\d{1,2})(\d{2})/\1:\2/" ]
| rex field=time mode=sed "s/(\d{1,2})(\d{2})/\1:\2/"
| table time id *
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...