Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to show a table in if

Mohsin123
Path Finder
‎09-25-2017 02:39 AM

My question is :
i have output in this format :
a _time
b _time
a _time
b _time

i want all these outputs alone with a coloumn that gives the _time (as start time) for only b type rows

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2017 02:53 AM

Hi shraddhamuduli,
I don't know the fields you extracted, anyway, if "a" column name is "fieldA", try something like this:

your_search fieldA="b"
| table _time

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎09-25-2017 03:42 AM

its like this :

Starting Acquisition Sources Database source '20170924'SourceQuery_0 for DataSource 'Transaction' and Domain(s) TMS

Commit of Processing State started for Domain 'TMS' and OrgUnit '-FR'
Starting Acquisition Sources Database source '20170924'SourceQuery_0 for DataSource 'Transaction' and Domain(s) TMS
Commit of Processing State started for Domain 'TMS' and OrgUnit '-MM'

these are 4 rows ...
my job is clubbed like this, first is the database acquisition(this is the start time) , next is the commit of processing state started . Ex; For job FR , my job start time is the time for database acquisition . and then the job starts at commit of processing time..but my actual time the job FR started in system is the one for database aqcuisition .....

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-25-2017 03:29 AM

current output -
a _time
b _time
a _time
b _time

if you want the output be like -
b _time
b _time

 your_search fieldB="b"
 | table fieldB _time

or, please update us your current query which gives the output as you shown on the question.. then we can edit that query..

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2017 02:53 AM

Hi shraddhamuduli,
I don't know the fields you extracted, anyway, if "a" column name is "fieldA", try something like this:

your_search fieldA="b"
| table _time

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎09-25-2017 03:42 AM

its like this :

Starting Acquisition Sources Database source '20170924'SourceQuery_0 for DataSource 'Transaction' and Domain(s) TMS

Commit of Processing State started for Domain 'TMS' and OrgUnit '-FR'
Starting Acquisition Sources Database source '20170924'SourceQuery_0 for DataSource 'Transaction' and Domain(s) TMS
Commit of Processing State started for Domain 'TMS' and OrgUnit '-MM'

these are 4 rows ...
my job is clubbed like this, first is the database acquisition(this is the start time) , next is the commit of processing state started . Ex; For job FR , my job start time is the time for database acquisition . and then the job starts at commit of processing time..but my actual time the job FR started in system is the one for database aqcuisition .....

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...