Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

variable fields - re-arrange (tranpose) variables fields into one field for data aggregation

guilmxm
Influencer
‎06-16-2014 02:00 AM

Hi,

I have data indexed with variable fields (csv data indexed as csv by Splunk) such as:

timestamp device1 device2 device3 device4
XXXXXXXX        X       X       X       X

Where X are timestamps and values.

I would like to transform these data with Splunk to get:

timestamp device value
XXXXXXXXX device1    X
XXXXXXXXX device2    X
XXXXXXXXX device3    X
XXXXXXXXX device4    X

Currently, I can manipulate data to stats and chart them using:

| timechart max(*) As *

Then i can filter by fields name or doing any other operation.

But i would like to aggregate them (sum) by time interval, easy when devices are arranged in uniq fields, more complicated with variable fields i can't know in advance.

I found a way to stats count/max or whatever by device, but i can't get to include time:

<search stuff>
| stats max(*) As *
| transpose
| rex device=device^count\((?<column>.*?)\)
| rename column as device | rename "row 1" as value

I would have like the same kind of stuff to include the timestamp with the goal to re-arrange the data

Thank you very much for any help !

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-16-2014 01:56 PM

See if this works (from your stats max query in the question)

<search stuff> | eval MaxTime=_time | stats max(*) As *
| transpose  | appendpipe [| where column="MaxTime" | rename "row 1" as Timestamp] | eventstats max(Timestamp) as Timestamp | where like(column,"device%") | convert ctime(Timestamp) | rename column as device, "row 1" as value | table Timestamp, device, value

View solution in original post

Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-16-2014 11:07 PM

For people having the same requirement of re-arranging data with multiple arbitrary fields, 2 solutions answered to it, thanks to somesoni2 and madscient:

1. using eventstat:

<search stuff> | eval MaxTime=_time | stats max(*) As *
| transpose  | appendpipe [| where column="MaxTime" | rename "row 1" as Timestamp] | eventstats max(Timestamp) as Timestamp | where like(column,"device%") | convert ctime(Timestamp) | rename column as device, "row 1" as value | table Timestamp, device, value

Works great

2. Simpler solution using untable

<search stuff> | stats max(*) As * by _time | untable _time device value | stats max(value) as value by device

Works great

Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-17-2014 08:10 AM

Thanks to Nick !

0 Karma
Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-17-2014 08:10 AM

Yes it is, this works incredibly great!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-17-2014 06:29 AM

This is (2nd solution) amazing. Good to learn a new command. Thanks

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-16-2014 01:56 PM

See if this works (from your stats max query in the question)

<search stuff> | eval MaxTime=_time | stats max(*) As *
| transpose  | appendpipe [| where column="MaxTime" | rename "row 1" as Timestamp] | eventstats max(Timestamp) as Timestamp | where like(column,"device%") | convert ctime(Timestamp) | rename column as device, "row 1" as value | table Timestamp, device, value
Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-16-2014 11:02 PM

Hi somesoni2,

Many thanks for your answer ! And i confirm this works great 🙂

I had an another solution (thanks to to madscient) using untable which is a little bit more simple and works great too, i'll comment this post with both solutions

But really thank you for this!

Reply
Solved! Jump to solution

alterdego
Path Finder
‎06-16-2014 07:05 AM

Your example, and the result you are looking, for is almost the exact example (#3) used in the Search Reference manual for the mvexpand command.

Please take a look:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-16-2014 01:36 PM

what version of Splunk are your using ? In the example for mvexpand, the rex command will not work for your data but , if you're on Splunk 6.x, then rex functionality can be achieved by foreach.

0 Karma
Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-16-2014 11:28 AM

If you have any idea how, don't hesitate please 🙂

I'm quite bad with mvexpand, multikv, makekv and so on... and i often have the same kind of need without being able as for now to manage it.. which drives me crasy !

0 Karma
Reply
Solved! Jump to solution

guilmxm
Influencer
‎06-16-2014 10:41 AM

Hi alterdego,

Thanks a lot for your answer, i think too this should do the trick.

The #3 is little bit different from my data, my fields are arbitrary (and i can't know them in advance), like:

timestamp 00:45:ER 00:76:23 (csv header)
06/16/2014,00:00:00 0 0 (timestamp + value for each corresponding field)

I'm trying to adapt the example to my case...

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...

Enterprise Security Content Update (ESCU) | New Releases

In March, the Splunk Threat Research Team had 2 releases of security content via the Enterprise Security ...

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!

The Splunk Developer Program is launching in beta, and we’re celebrating with an exciting hackathon! This is ...
Top