My events have the following structure:
id=[id] key=[key] value=[value]
For example:
id=1 key=mycounter value=4
id=1 key=mytime value=40
id=2 key=mycounter value=5
id=2 key=mytime value=70
id=3 key=mycounter value=8
id=3 key=mytime value=90
I would like to calculate mycounter/mytime for each id .
I created a table ( (key=mycounter OR key=mytime) | dedup id, key | table id, key, value ) and tried to apply mvcombine and makemv , but I was not able to get it working. Is this the right way to go or is there a better way in Splunk?
... View more