Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- query help
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
surekhasplunk
Communicator
03-01-2020
10:05 PM
`myquery` | table Site Device Interface metric_name *
returns values like this :
Site Device Interface metric_name full_metric_name values _time
Ams-P xyz123 vni-0/1.0 vni-0/1_0 vni-0/1_0_in_usage 0.72 2020-03-02
Ams-P xyz123 vni-0/1.0 vni-0/1_0 vni-0/1_0_out_usage 1.61 2020-03-02
Ams-S xyz678 vni-0/1.0 vni-0/1_0 vni-0/1_0_in_usage 0.62 2020-03-02
Ams-S xyz678 vni-0/1.0 vni-0/1_0 vni-0/1_0_out_usage 1.20 2020-03-02
Now i want to device the in_usage and out_usage into two different columns and show the output like below :
Site Device Interface in_usage out_usage _time
Ams-P xyz123 vni-0/1.0 0.72 1.61 2020-03-02
Ams-S xyz678 vni-0/1.0 0.62 1.20 2020-03-02
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
03-01-2020
10:55 PM
@surekhasplunk
Try this.
YOUR_SEARCH | stats values(eval(if(full_metric_name="vni-0/1_0_in_usage",value,null()))) as in_usage values(eval(if(full_metric_name="vni-0/1_0_out_usage",value,null()))) as out_usage by Site Device Interface _time
| table Site Device Interface in_usage out_usage _time
Sample Search
| makeresults | eval _raw=" Site Device Interface metric_name full_metric_name value _time
Ams-P xyz123 vni-0/1.0 vni-0/1_0 vni-0/1_0_in_usage 0.72 2020-03-02
Ams-P xyz123 vni-0/1.0 vni-0/1_0 vni-0/1_0_out_usage 1.61 2020-03-02
Ams-S xyz678 vni-0/1.0 vni-0/1_0 vni-0/1_0_in_usage 0.62 2020-03-02
Ams-S xyz678 vni-0/1.0 vni-0/1_0 vni-0/1_0_out_usage 1.20 2020-03-02"
| multikv forceheader=1
| stats values(eval(if(full_metric_name="vni-0/1_0_in_usage",value,null()))) as in_usage values(eval(if(full_metric_name="vni-0/1_0_out_usage",value,null()))) as out_usage by Site Device Interface _time
| table Site Device Interface in_usage out_usage _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
03-01-2020
10:55 PM
@surekhasplunk
Try this.
YOUR_SEARCH | stats values(eval(if(full_metric_name="vni-0/1_0_in_usage",value,null()))) as in_usage values(eval(if(full_metric_name="vni-0/1_0_out_usage",value,null()))) as out_usage by Site Device Interface _time
| table Site Device Interface in_usage out_usage _time
Sample Search
| makeresults | eval _raw=" Site Device Interface metric_name full_metric_name value _time
Ams-P xyz123 vni-0/1.0 vni-0/1_0 vni-0/1_0_in_usage 0.72 2020-03-02
Ams-P xyz123 vni-0/1.0 vni-0/1_0 vni-0/1_0_out_usage 1.61 2020-03-02
Ams-S xyz678 vni-0/1.0 vni-0/1_0 vni-0/1_0_in_usage 0.62 2020-03-02
Ams-S xyz678 vni-0/1.0 vni-0/1_0 vni-0/1_0_out_usage 1.20 2020-03-02"
| multikv forceheader=1
| stats values(eval(if(full_metric_name="vni-0/1_0_in_usage",value,null()))) as in_usage values(eval(if(full_metric_name="vni-0/1_0_out_usage",value,null()))) as out_usage by Site Device Interface _time
| table Site Device Interface in_usage out_usage _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
surekhasplunk
Communicator
03-01-2020
11:28 PM
Thanks a lot for your quick help @kamlesh_vaghela,
It worked i just tweaked a little as the interface names vary from device to device.
| multikv forceheader=1|eval in_metric=metric_name."_in_usage" |eval out_metric=metric_name."_out_usage" | stats values(eval(if(full_metric_name=in_metric,value,null()))) as in_usage values(eval(if(full_metric_name=out_metric,value,null()))) as out_usage by Site Device Interface _time
| table Site Device Interface in_usage out_usage _time
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
.conf25 Global Broadcast: Don’t Miss a Moment
Hello Splunkers,
.conf25 is only a click away.
Not able to make it to .conf25 in person? No worries, you can ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What's New in Splunk Observability - August 2025
What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...
