Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Summary Index - Eval Issue - Need both combined & segregated data

gopiven
Explorer
‎06-22-2020 11:26 PM

Hi Splunk Experts

I've created a summary index where it contains 6 eval cases, for example:

eval 1=case(match(something,"a",...."b","c"), eval 2 =case (d,e,f)....eval 6=case(x,y,z) 

where a,b,c....x,y,z are the individual detailed functions & 1,2,3,,4,5,6 as overall functions. Now I have combined all eval functions into a single value using eval Total_Function = mvappend(1,2,3,4,5,6).

But I want to list the table with both overall function & individual detailed function as well. But I am not sure how to get individual detail values in the table along with overall function.

Expected table as below:

Time Total_Function      Overallfunction Individual function

XX     T otal_Function          1                               a
YY       Total_Function          1                               b
ZZ       Total_Function          1                               c
AA       Total_Function         6                               x
BB       Total_Function         6                               y
CC      Total_Function          6                               z                     

Kindly help me please.

(Please note, there are multiple individual functions in each eval case)

 

Labels (3)
Labels
0 Karma
Reply

DalJeanis
Legend
‎06-23-2020 11:43 AM

A summary index can contain literally any number of columns.  Just output the record with one column for each item you want to report.  

So, if an event had values for functions a, c r and t, and the Overall function was 1, then it might look like 

 

(time) total_function=23, overall=1, a=12, c=7, r=0, t=15

 

 

or, if I misunderstood your meaning, maybe it might be 

 

(time) total_function=23 overall="1;3" detail="a;c;r;t"

 

or

 

(time) total_function=23 overall="1;3" detail="a=12;c=7;r=0;t=15"

 

 

The next record does not have to have all the same fields.

 

0 Karma
Reply

gopiven
Explorer
‎06-23-2020 06:19 PM

Thanks for the reply. I guess you misunderstood the Question.
I am looking to segregate the individual fields which are already appended through mvappend command.

mvappend(1,2,3,4,5,6)
1,2,3,4,5,6 are the eval function cases with values a,b....x,y,z(these values are calculated based on match criteria)

Hence want to table the data as mentioned in the initial question.

0 Karma
Reply

DalJeanis
Legend
‎06-26-2020 02:33 PM

Okay, look at what happens when you do these commands

 

| makeresults
| eval myfield1=mvappend("a","b","c")
| eval myfield2=mvjoin(myfield1,"!!!!")
| eval myfield3=makemv(myfield2,"!!!!")

 and then this command

| mvexpand myfield3
0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...