Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: With multiple `appendpipes` how do I specify t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HattrickNZ
Motivator
05-02-2018
07:14 PM
With multiple appendpipes how do I specify the number of rows above I want to apply it to?
| makeresults
| eval data = "
1 2017-12 A 155749 131033 84.1;
2 2017-12 B 24869 23627 95;
3 2017-12 C 117618 117185 99.6;
"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
| fields + date serial type attempts successfullAttempts sr
| rename date as _time
| search serial=*
| appendpipe [stats avg(sr) as sr | eval sr=round(sr,1) | eval successfullAttempts="average sr"]
| appendpipe [stats sum(sr) as sr | eval sr=round(sr,1) | eval successfullAttempts="sum sr"]
| appendpipe [stats sum(sr) as sr | eval sr=round(sr-92.7-370.7,1) | eval successfullAttempts="This is what I want - just the first 3 values of sr 84,95,and 99"]
OUTPUT looks like this:
I have lined up the sr column as that is the column of interest(seperate q does anyone know how best to format a table here?)
How would I get a value of 278 in row 6 if I did not know the values of row 4 and 5??
_time serial type attempts successfullAttempts sr
1 2017-12 1 A 155749 131033 84
2 2017-12 2 B 24869 23627 95
3 2017-12 3 C 117618 117185 99
4 average sr 92.7
5 sum sr 370.7
6 This is what I want - just the first 3 values of sr 84,95,and99 278.0
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-02-2018
08:12 PM
Like this:
| makeresults
| eval data = "
1 2017-12 A 155749 131033 84.1;
2 2017-12 B 24869 23627 95;
3 2017-12 C 117618 117185 99.6"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
| fields + date serial type attempts successfullAttempts sr
| rename date as _time
| search serial=*
| multireport
[ rename COMMENT AS "This just passes data through" ]
[ stats avg(sr) AS sr
| eval sr=round(sr,1)
| eval successfullAttempts="average sr" ]
[ stats sum(sr) AS sr
| eval sr=round(sr,1)
| eval successfullAttempts="sum sr" ]
| table _time serial type attempts successfullAttempts sr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-02-2018
08:17 PM
THANK YOU for supplying BOTH generated sample data AND a clear mockup of your desired output. THAT is how you get answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-02-2018
08:12 PM
Like this:
| makeresults
| eval data = "
1 2017-12 A 155749 131033 84.1;
2 2017-12 B 24869 23627 95;
3 2017-12 C 117618 117185 99.6"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
| fields + date serial type attempts successfullAttempts sr
| rename date as _time
| search serial=*
| multireport
[ rename COMMENT AS "This just passes data through" ]
[ stats avg(sr) AS sr
| eval sr=round(sr,1)
| eval successfullAttempts="average sr" ]
[ stats sum(sr) AS sr
| eval sr=round(sr,1)
| eval successfullAttempts="sum sr" ]
| table _time serial type attempts successfullAttempts sr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HattrickNZ
Motivator
05-03-2018
07:12 PM
tks, so multireport is what I am looking for instead of appendpipe. It would have been good if you included that in your answer, if we giving feedback. But other than that a pretty comprehensive answer. THANK YOU 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HattrickNZ
Motivator
05-03-2018
07:43 PM
Also, this line is required [ rename COMMENT AS "This just passes data through" ]. Take it out and it will not work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HattrickNZ
Motivator
05-03-2018
08:02 PM
And | table _time serial type attempts successfullAttempts sr is not required.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Thanks for the Memories! Splunk University, .conf25, and our Community
Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...
Data Persistence in the OpenTelemetry Collector
This blog post is part of an ongoing series on OpenTelemetry.
What happens if the OpenTelemetry collector ...
Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever
Now On Demand
Whether you're managing complex deployments or looking to future-proof your data ...
