Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Summary Index - Eval Issue - Need both combined & segregated data

gopiven
Explorer
‎06-22-2020 11:26 PM

Hi Splunk Experts

I've created a summary index where it contains 6 eval cases, for example:

eval 1=case(match(something,"a",...."b","c"), eval 2 =case (d,e,f)....eval 6=case(x,y,z) 

where a,b,c....x,y,z are the individual detailed functions & 1,2,3,,4,5,6 as overall functions. Now I have combined all eval functions into a single value using eval Total_Function = mvappend(1,2,3,4,5,6).

But I want to list the table with both overall function & individual detailed function as well. But I am not sure how to get individual detail values in the table along with overall function.

Expected table as below:

Time Total_Function      Overallfunction Individual function

XX     T otal_Function          1                               a
YY       Total_Function          1                               b
ZZ       Total_Function          1                               c
AA       Total_Function         6                               x
BB       Total_Function         6                               y
CC      Total_Function          6                               z                     

Kindly help me please.

(Please note, there are multiple individual functions in each eval case)

 

Labels (4)
Labels
0 Karma
Reply

DalJeanis
Legend
‎06-23-2020 11:43 AM

A summary index can contain literally any number of columns.  Just output the record with one column for each item you want to report.  

So, if an event had values for functions a, c r and t, and the Overall function was 1, then it might look like 

 

(time) total_function=23, overall=1, a=12, c=7, r=0, t=15

 

 

or, if I misunderstood your meaning, maybe it might be 

 

(time) total_function=23 overall="1;3" detail="a;c;r;t"

 

or

 

(time) total_function=23 overall="1;3" detail="a=12;c=7;r=0;t=15"

 

 

The next record does not have to have all the same fields.

 

0 Karma
Reply

gopiven
Explorer
‎06-23-2020 06:19 PM

Thanks for the reply. I guess you misunderstood the Question.
I am looking to segregate the individual fields which are already appended through mvappend command.

mvappend(1,2,3,4,5,6)
1,2,3,4,5,6 are the eval function cases with values a,b....x,y,z(these values are calculated based on match criteria)

Hence want to table the data as mentioned in the initial question.

0 Karma
Reply

DalJeanis
Legend
‎06-26-2020 02:33 PM

Okay, look at what happens when you do these commands

 

| makeresults
| eval myfield1=mvappend("a","b","c")
| eval myfield2=mvjoin(myfield1,"!!!!")
| eval myfield3=makemv(myfield2,"!!!!")

 and then this command

| mvexpand myfield3
0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...