Splunk Search
Highlighted

With multiple `appendpipes` how do I specify the number of rows above I want to apply it to?

Motivator

With multiple appendpipes how do I specify the number of rows above I want to apply it to?

| makeresults 
   | eval data = "
   1    2017-12    A    155749    131033    84.1;
  2    2017-12    B    24869    23627    95;
  3    2017-12    C    117618    117185    99.6;
  " 
   | makemv delim=";" data 
   | mvexpand data
   | rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
   | fields + date serial type attempts successfullAttempts sr 
   | rename date as _time 
   | search serial=*
   | appendpipe [stats avg(sr) as sr | eval sr=round(sr,1) | eval successfullAttempts="average sr"] 
   | appendpipe [stats sum(sr) as sr | eval sr=round(sr,1) | eval successfullAttempts="sum sr"]
   | appendpipe [stats sum(sr) as sr | eval sr=round(sr-92.7-370.7,1) | eval successfullAttempts="This is what I want - just the first 3 values of sr 84,95,and 99"] 

OUTPUT looks like this:
I have lined up the sr column as that is the column of interest(seperate q does anyone know how best to format a table here?)
How would I get a value of 278 in row 6 if I did not know the values of row 4 and 5??

    _time   serial  type    attempts    successfullAttempts                                sr
1   2017-12 1   A   155749  131033                                                     84
2   2017-12 2   B   24869   23627                                                        95
3   2017-12 3   C   117618  117185                                                     99
4                   average sr                                                            92.7
5                   sum sr                                                                370.7
6                   This is what I want - just the first 3 values of sr 84,95,and99      278.0
Highlighted

Re: With multiple `appendpipes` how do I specify the number of rows above I want to apply it to?

Esteemed Legend

Like this:

| makeresults 
| eval data = "
   1    2017-12    A    155749    131033    84.1;
   2    2017-12    B    24869    23627    95;
   3    2017-12    C    117618    117185    99.6" 
| makemv delim=";" data 
| mvexpand data 
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)" 
| fields + date serial type attempts successfullAttempts sr 
| rename date as _time 
| search serial=* 

| multireport 

[ rename COMMENT AS "This just passes data through" ] 

[ stats avg(sr) AS sr 
| eval sr=round(sr,1) 
| eval successfullAttempts="average sr" ] 

[ stats sum(sr) AS sr 
| eval sr=round(sr,1) 
| eval successfullAttempts="sum sr" ]

| table _time serial type attempts successfullAttempts sr

View solution in original post

Highlighted

Re: With multiple `appendpipes` how do I specify the number of rows above I want to apply it to?

Motivator

tks, so multireport is what I am looking for instead of appendpipe. It would have been good if you included that in your answer, if we giving feedback. But other than that a pretty comprehensive answer. THANK YOU 🙂

0 Karma
Highlighted

Re: With multiple `appendpipes` how do I specify the number of rows above I want to apply it to?

Motivator

Also, this line is required [ rename COMMENT AS "This just passes data through" ]. Take it out and it will not work.

0 Karma
Highlighted

Re: With multiple `appendpipes` how do I specify the number of rows above I want to apply it to?

Motivator

And | table _time serial type attempts successfullAttempts sr is not required.

0 Karma
Highlighted

Re: With multiple `appendpipes` how do I specify the number of rows above I want to apply it to?

Esteemed Legend

THANK YOU for supplying BOTH generated sample data AND a clear mockup of your desired output. THAT is how you get answers.