Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Summary Index - Eval Issue - Need both combined & ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Summary Index - Eval Issue - Need both combined & segregated data
Hi Splunk Experts
I've created a summary index where it contains 6 eval cases, for example:
eval 1=case(match(something,"a",...."b","c"), eval 2 =case (d,e,f)....eval 6=case(x,y,z)
where a,b,c....x,y,z are the individual detailed functions & 1,2,3,,4,5,6 as overall functions. Now I have combined all eval functions into a single value using eval Total_Function = mvappend(1,2,3,4,5,6).
But I want to list the table with both overall function & individual detailed function as well. But I am not sure how to get individual detail values in the table along with overall function.
Expected table as below:
Time Total_Function Overallfunction Individual function
XX T otal_Function 1 a
YY Total_Function 1 b
ZZ Total_Function 1 c
AA Total_Function 6 x
BB Total_Function 6 y
CC Total_Function 6 z
Kindly help me please.
(Please note, there are multiple individual functions in each eval case)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A summary index can contain literally any number of columns. Just output the record with one column for each item you want to report.
So, if an event had values for functions a, c r and t, and the Overall function was 1, then it might look like
(time) total_function=23, overall=1, a=12, c=7, r=0, t=15
or, if I misunderstood your meaning, maybe it might be
(time) total_function=23 overall="1;3" detail="a;c;r;t"
or
(time) total_function=23 overall="1;3" detail="a=12;c=7;r=0;t=15"
The next record does not have to have all the same fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. I guess you misunderstood the Question.
I am looking to segregate the individual fields which are already appended through mvappend command.
mvappend(1,2,3,4,5,6)
1,2,3,4,5,6 are the eval function cases with values a,b....x,y,z(these values are calculated based on match criteria)
Hence want to table the data as mentioned in the initial question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, look at what happens when you do these commands
| makeresults
| eval myfield1=mvappend("a","b","c")
| eval myfield2=mvjoin(myfield1,"!!!!")
| eval myfield3=makemv(myfield2,"!!!!")
and then this command
| mvexpand myfield3
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
