Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Repeat index and host time in tablerow

karunagaraprabh
Explorer
‎06-23-2020 08:15 PM

Hi, i need index time and host time to repeat for each data for host, printedA_epoch & printedb_epoch, how can i achieve it

karunagaraprabh_0-1592968527889.png

 

Thanks,

Karuna

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 09:56 PM

If you have Splunk 8 (for mvmap) you can do this

| makeresults
| eval r=mvrange(1,15)
| mvexpand r
| eval printedA_epoch=now() - (random() % 604800)
| eval printedB_epoch=now() - (random() % 604800)
| eval indtime=now()
| eval host="XP03"
| stats values(printedA_epoch) as printedA_epoch values(printedB_epoch) as printedB_epoch by host indtime
| table host printedA_epoch printedB_epoch indtime
| eval comment="Your data is created up to here - so now duplicate host and indtime as required"
| eval h=mvrange(1,mvcount(printedA_epoch) + 1)
| eval host=mvmap(h,host), indtime=mvmap(h,indtime)
| fields - h comment

Hope this helps 

Reply

karunagaraprabh
Explorer
‎06-23-2020 10:53 PM

Thank you @bowesmana  but am using splunk 7.0.1 where  'mvmap'  function is not supported or undefined, could you please provide me an alternative command.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 11:09 PM

Try this

| makeresults
| eval r=mvrange(1,15)
| mvexpand r
| eval printedA_epoch=now() - (random() % 604800)
| eval printedB_epoch=now() - (random() % 604800)
| eval indtime=now()
| eval host="XP03"
| stats values(printedA_epoch) as printedA_epoch values(printedB_epoch) as printedB_epoch by host indtime
| table host printedA_epoch printedB_epoch indtime
| eval comment="Your data is created up to here - so now duplicate host and indtime as required"
| eval tmp=mvzip(printedA_epoch, printedB_epoch, ",")
| fields - printedA_epoch printedB_epoch comment
| mvexpand tmp
| rex field=tmp "(?<printedA_epoch>\d+),(?<printedB_epoch>\d+)"
| fields - tmp
| stats list(*) as *
Reply

karunagaraprabh
Explorer
‎06-23-2020 11:32 PM

Thanks for your valuable time

| stats list(*) as * it displays all my field in the indexed data i have to display only limited columns

CustomerjobId,printedA_epoch,printedB_epoch,indexdatetime

as i have to do difference of A and B epoc with indexedtime epoc 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 11:33 PM

Replace the list(*) as * with

list(a) as a list(b) as b list(c) as c 

for the columns you need

Reply

karunagaraprabh
Explorer
‎06-24-2020 02:03 AM

Hi @bowesmana , really appreciate your multiple solution, after implementing am getting Aepoch vales as 0000 instead of its value..

karunagaraprabh_0-1592986505291.png

 

Thanks,

Karuna

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...