Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

variable fields - re-arrange (tranpose) variables fields into one field for data aggregation

guilmxm
Influencer
‎06-16-2014 02:00 AM

Hi,

I have data indexed with variable fields (csv data indexed as csv by Splunk) such as:

timestamp device1 device2 device3 device4
XXXXXXXX        X       X       X       X

Where X are timestamps and values.

I would like to transform these data with Splunk to get:

timestamp device value
XXXXXXXXX device1    X
XXXXXXXXX device2    X
XXXXXXXXX device3    X
XXXXXXXXX device4    X

Currently, I can manipulate data to stats and chart them using:

| timechart max(*) As *

Then i can filter by fields name or doing any other operation.

But i would like to aggregate them (sum) by time interval, easy when devices are arranged in uniq fields, more complicated with variable fields i can't know in advance.

I found a way to stats count/max or whatever by device, but i can't get to include time:

<search stuff>
| stats max(*) As *
| transpose
| rex device=device^count\((?<column>.*?)\)
| rename column as device | rename "row 1" as value

I would have like the same kind of stuff to include the timestamp with the goal to re-arrange the data

Thank you very much for any help !

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-16-2014 01:56 PM

See if this works (from your stats max query in the question)

<search stuff> | eval MaxTime=_time | stats max(*) As *
| transpose  | appendpipe [| where column="MaxTime" | rename "row 1" as Timestamp] | eventstats max(Timestamp) as Timestamp | where like(column,"device%") | convert ctime(Timestamp) | rename column as device, "row 1" as value | table Timestamp, device, value

View solution in original post

Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-16-2014 11:07 PM

For people having the same requirement of re-arranging data with multiple arbitrary fields, 2 solutions answered to it, thanks to somesoni2 and madscient:

1. using eventstat:

<search stuff> | eval MaxTime=_time | stats max(*) As *
| transpose  | appendpipe [| where column="MaxTime" | rename "row 1" as Timestamp] | eventstats max(Timestamp) as Timestamp | where like(column,"device%") | convert ctime(Timestamp) | rename column as device, "row 1" as value | table Timestamp, device, value

Works great

2. Simpler solution using untable

<search stuff> | stats max(*) As * by _time | untable _time device value | stats max(value) as value by device

Works great

Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-17-2014 08:10 AM

Thanks to Nick !

0 Karma
Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-17-2014 08:10 AM

Yes it is, this works incredibly great!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-17-2014 06:29 AM

This is (2nd solution) amazing. Good to learn a new command. Thanks

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-16-2014 01:56 PM

See if this works (from your stats max query in the question)

<search stuff> | eval MaxTime=_time | stats max(*) As *
| transpose  | appendpipe [| where column="MaxTime" | rename "row 1" as Timestamp] | eventstats max(Timestamp) as Timestamp | where like(column,"device%") | convert ctime(Timestamp) | rename column as device, "row 1" as value | table Timestamp, device, value
Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-16-2014 11:02 PM

Hi somesoni2,

Many thanks for your answer ! And i confirm this works great 🙂

I had an another solution (thanks to to madscient) using untable which is a little bit more simple and works great too, i'll comment this post with both solutions

But really thank you for this!

Reply
Solved! Jump to solution

alterdego
Path Finder
‎06-16-2014 07:05 AM

Your example, and the result you are looking, for is almost the exact example (#3) used in the Search Reference manual for the mvexpand command.

Please take a look:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-16-2014 01:36 PM

what version of Splunk are your using ? In the example for mvexpand, the rex command will not work for your data but , if you're on Splunk 6.x, then rex functionality can be achieved by foreach.

0 Karma
Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-16-2014 11:28 AM

If you have any idea how, don't hesitate please 🙂

I'm quite bad with mvexpand, multikv, makekv and so on... and i often have the same kind of need without being able as for now to manage it.. which drives me crasy !

0 Karma
Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-16-2014 10:41 AM

Hi alterdego,

Thanks a lot for your answer, i think too this should do the trick.

The #3 is little bit different from my data, my fields are arbitrary (and i can't know them in advance), like:

timestamp 00:45:ER 00:76:23 (csv header)
06/16/2014,00:00:00 0 0 (timestamp + value for each corresponding field)

I'm trying to adapt the example to my case...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...