how to use part of field name to group columns and...

hannahb · ‎04-23-2021

Hi, I got a set of table that has "_time" as row values and "hosts" as column values like below.

_time	host-1-1	host-1-2	host-2-1	host-2-2
12:00	10	20	5	5
12:15	20	10	5	15
12:30	10	15	5	10

How can I group them based on their host name (host-1 & host-2) and add the values of two sub_hosts(e.g. "host-1" = "host-1-1" + "host-1-2")? So the result will look like below.

_time	host-1	host-2
12:00	30	10
12:15	30	20
12:30	25	15

ITWhisperer · ‎04-23-2021

Run-anywhere example:

| makeresults 
| eval _raw="time,host-1-1,host-1-2,host-2-1,host-2-2
12:00,10,20,5,5
12:15,20,10,5,15
12:30,10,15,5,10"
| multikv forceheader=1
| fields - _* linecount 
| rename host_*_* as host-*-*


| untable time host count
| eval host=mvjoin(mvindex(split(host,"-"),0,-2),"-")
| stats sum(count) as count by time host
| xyseries time host count

For your case, you need the lines after the blank lines and use _time instead of time

aasabatini · ‎04-23-2021

Hi @hannahb

Try This:

------your search | rename host1-1 as host1, host2-1 as host2 | rename host1-2 as host1, host2-2 as host2 | stats count(host1) as host1, count(host2) as host2 by _time

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

how to use part of field name to group columns and add values?

eval

fields

stats

table

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>