how to use part of field name to group columns and...

hannahb · ‎04-23-2021

Hi, I got a set of table that has "_time" as row values and "hosts" as column values like below.

_time	host-1-1	host-1-2	host-2-1	host-2-2
12:00	10	20	5	5
12:15	20	10	5	15
12:30	10	15	5	10

How can I group them based on their host name (host-1 & host-2) and add the values of two sub_hosts(e.g. "host-1" = "host-1-1" + "host-1-2")? So the result will look like below.

_time	host-1	host-2
12:00	30	10
12:15	30	20
12:30	25	15

ITWhisperer · ‎04-23-2021

Run-anywhere example:

| makeresults 
| eval _raw="time,host-1-1,host-1-2,host-2-1,host-2-2
12:00,10,20,5,5
12:15,20,10,5,15
12:30,10,15,5,10"
| multikv forceheader=1
| fields - _* linecount 
| rename host_*_* as host-*-*


| untable time host count
| eval host=mvjoin(mvindex(split(host,"-"),0,-2),"-")
| stats sum(count) as count by time host
| xyseries time host count

For your case, you need the lines after the blank lines and use _time instead of time

aasabatini · ‎04-23-2021

Hi @hannahb

Try This:

------your search | rename host1-1 as host1, host2-1 as host2 | rename host1-2 as host1, host2-2 as host2 | stats count(host1) as host1, count(host2) as host2 by _time

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

how to use part of field name to group columns and add values?

eval

fields

stats

table

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?