Re: how to use part of field name to group columns...

hannahb · ‎04-23-2021

Hi, I got a set of table that has "_time" as row values and "hosts" as column values like below.

_time	host-1-1	host-1-2	host-2-1	host-2-2
12:00	10	20	5	5
12:15	20	10	5	15
12:30	10	15	5	10

How can I group them based on their host name (host-1 & host-2) and add the values of two sub_hosts(e.g. "host-1" = "host-1-1" + "host-1-2")? So the result will look like below.

_time	host-1	host-2
12:00	30	10
12:15	30	20
12:30	25	15

ITWhisperer · ‎04-23-2021

Run-anywhere example:

| makeresults 
| eval _raw="time,host-1-1,host-1-2,host-2-1,host-2-2
12:00,10,20,5,5
12:15,20,10,5,15
12:30,10,15,5,10"
| multikv forceheader=1
| fields - _* linecount 
| rename host_*_* as host-*-*


| untable time host count
| eval host=mvjoin(mvindex(split(host,"-"),0,-2),"-")
| stats sum(count) as count by time host
| xyseries time host count

For your case, you need the lines after the blank lines and use _time instead of time

aasabatini · ‎04-23-2021

Hi @hannahb

Try This:

------your search | rename host1-1 as host1, host2-1 as host2 | rename host1-2 as host1, host2-2 as host2 | stats count(host1) as host1, count(host2) as host2 by _time

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

how to use part of field name to group columns and add values?

eval

fields

stats

table

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...