Hi,
At search time, is there any way of splitting a tabular event into multiple events by column rather than row as multikv does.
For example:
node node0 node1
numa_hit 1021798456 123456
numa_miss 0 10
numa_foreign 0 0
interleave_hit 14348 123
local_node 1021798456 123446
other_node 0 0
I'd like this to be split into two events - one per node so I can do things like:
stats max(numa_miss) by node
There could be many tens of columns so using "rex" isn't really an option.
You could do this:
... | multikv | where node="numa_miss" | stats max(node*) by node
That will generate this for your sample event:
node max(node0) max(node1)
1 numa_miss 0 10
It's not quite what a stats max(numa_miss)
would produce, but it might work for you.
You could do this:
... | multikv | where node="numa_miss" | stats max(node*) by node
That will generate this for your sample event:
node max(node0) max(node1)
1 numa_miss 0 10
It's not quite what a stats max(numa_miss)
would produce, but it might work for you.
Reformatting the output is the best choice, especially if the number of nodes were to grow. Having a thousand rows is easy to handle, a thousand columns are annoying though.
Thanks. That's actually pretty close to what I need. If it was just one report I think I'd just live with it, but because I have quite a few reports to base on this data, I ended up changing the script wrapper to reformat the output though.
Hi davewood,
have a look at transpose, this will return the specified number of rows (search results) as columns which can be used for further Splunk searches.
cheers, MuS
Thanks. Yes, I took a look at transpose but there was a bit too much subsequent tidying of data required for my purposes.
I ended up changing the script wrapper to reformat the output. 😞