Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

query help

surekhasplunk
Communicator
‎03-01-2020 10:05 PM 
`myquery` | table Site Device Interface metric_name *

returns values like this :

Site    Device  Interface   metric_name full_metric_name    values  _time
Ams-P   xyz123  vni-0/1.0   vni-0/1_0   vni-0/1_0_in_usage  0.72    2020-03-02
Ams-P   xyz123  vni-0/1.0   vni-0/1_0   vni-0/1_0_out_usage 1.61    2020-03-02
Ams-S   xyz678  vni-0/1.0   vni-0/1_0   vni-0/1_0_in_usage  0.62    2020-03-02
Ams-S   xyz678  vni-0/1.0   vni-0/1_0   vni-0/1_0_out_usage 1.20    2020-03-02

Now i want to device the in_usage and out_usage into two different columns and show the output like below :

Site Device Interface in_usage out_usage _time
Ams-P xyz123 vni-0/1.0 0.72 1.61 2020-03-02
Ams-S xyz678 vni-0/1.0 0.62 1.20 2020-03-02

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-01-2020 10:55 PM

@surekhasplunk

Try this.

YOUR_SEARCH  | stats values(eval(if(full_metric_name="vni-0/1_0_in_usage",value,null()))) as in_usage values(eval(if(full_metric_name="vni-0/1_0_out_usage",value,null()))) as out_usage by Site Device Interface _time
 | table Site Device Interface in_usage out_usage _time

Sample Search

| makeresults | eval _raw=" Site    Device    Interface    metric_name    full_metric_name    value    _time
 Ams-P    xyz123    vni-0/1.0    vni-0/1_0    vni-0/1_0_in_usage    0.72    2020-03-02
 Ams-P    xyz123    vni-0/1.0    vni-0/1_0    vni-0/1_0_out_usage    1.61    2020-03-02
 Ams-S    xyz678    vni-0/1.0    vni-0/1_0    vni-0/1_0_in_usage    0.62    2020-03-02
 Ams-S    xyz678    vni-0/1.0    vni-0/1_0    vni-0/1_0_out_usage    1.20    2020-03-02"
 | multikv forceheader=1
 | stats values(eval(if(full_metric_name="vni-0/1_0_in_usage",value,null()))) as in_usage values(eval(if(full_metric_name="vni-0/1_0_out_usage",value,null()))) as out_usage by Site Device Interface _time
 | table Site Device Interface in_usage out_usage _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-01-2020 10:55 PM

@surekhasplunk

Try this.

YOUR_SEARCH  | stats values(eval(if(full_metric_name="vni-0/1_0_in_usage",value,null()))) as in_usage values(eval(if(full_metric_name="vni-0/1_0_out_usage",value,null()))) as out_usage by Site Device Interface _time
 | table Site Device Interface in_usage out_usage _time

Sample Search

| makeresults | eval _raw=" Site    Device    Interface    metric_name    full_metric_name    value    _time
 Ams-P    xyz123    vni-0/1.0    vni-0/1_0    vni-0/1_0_in_usage    0.72    2020-03-02
 Ams-P    xyz123    vni-0/1.0    vni-0/1_0    vni-0/1_0_out_usage    1.61    2020-03-02
 Ams-S    xyz678    vni-0/1.0    vni-0/1_0    vni-0/1_0_in_usage    0.62    2020-03-02
 Ams-S    xyz678    vni-0/1.0    vni-0/1_0    vni-0/1_0_out_usage    1.20    2020-03-02"
 | multikv forceheader=1
 | stats values(eval(if(full_metric_name="vni-0/1_0_in_usage",value,null()))) as in_usage values(eval(if(full_metric_name="vni-0/1_0_out_usage",value,null()))) as out_usage by Site Device Interface _time
 | table Site Device Interface in_usage out_usage _time
0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎03-01-2020 11:28 PM

Thanks a lot for your quick help @kamlesh_vaghela,

It worked i just tweaked a little as the interface names vary from device to device.

| multikv forceheader=1|eval in_metric=metric_name."_in_usage" |eval out_metric=metric_name."_out_usage" | stats values(eval(if(full_metric_name=in_metric,value,null()))) as in_usage values(eval(if(full_metric_name=out_metric,value,null()))) as out_usage by Site Device Interface _time
| table Site Device Interface in_usage out_usage _time

0 Karma
Reply
Get Updates on the Splunk Community!

Blueprints for High-Maturity Operations: Splunk Lantern Articles on SOAR, ES 8.4, ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Simplifying the Analyst Experience with Finding-based Detections

    Splunk invites you to an engaging Tech Talk focused on streamlining security operations with ...

[Puzzles] Solve, Learn, Repeat: Word Search

This challenge was first posted on Slack #puzzles channelThis puzzle is based on a letter grid containing ...