Solved: Re: Split one field values into multiple fileds ba...

skodak · ‎07-10-2020

status

success

failure

error

I want output like

status status 1 status2

success failure error

anilchaithu · ‎07-10-2020

@skodak

you can use eval to split the field values

eval status1=if(like(status, "%failure%"), status, NULL), status2 = if(like(status, "%error%"), status, NULL), status=if(like(status, "%success%"), status, NULL)

Hope this helps

View solution in original post

anilchaithu · ‎07-10-2020

@skodak

you can use eval to split the field values

eval status1=if(like(status, "%failure%"), status, NULL), status2 = if(like(status, "%error%"), status, NULL), status=if(like(status, "%success%"), status, NULL)

Hope this helps

skodak · ‎07-10-2020

Thank you. This helped me to resolve the issue.

to4kawa · ‎07-10-2020

| makeresults
| eval _raw="status
success
success
failure
failure
error
error"
| multikv forceheader=1
| table status
| rename COMMENT as "the logic"
| streamstats dc(status) as session
| eval session="status".session
| stats list(status) as vstatus by session
| eval {session} = vstatus
| stats list(status*) as status*

Split one field values into multiple fields based on values

stats

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Split one field values into multiple fields based on values

stats

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25