- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- tokens and multiselect
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tokens and multiselect
Hi ,
I have a case like this
index=i_prod (MemoryCached* OR MemoryTotal*) (host="vr" OR host="vfr") |table _time host MemoryCached* MemoryTotal*
i am passing host as muliselect token . MemoryCached and MemoryTotal and similar are fields in my index that are also i am fetching using a multiselect token using fieldsummary .
Now , i want to display a table statistics":
coloumns as
host MemoryTotal MemoryCached
Now , the query i am using above displays host as coloumn names but cant present the selected token as coloumn names
I am inteding an output like this
_time host MemoryCached MemoryTotal
2018-11-12 15:30:01 vgax16vr 1876791296 16649756672
2018-11-12 16:00:01 vgax16vr 1878134784 16649756672
2018-11-12 14:15:01 vgax16vr 1867366400 16649756672
2018-11-12 13:30:01 vgax16vr 1880264704 16649756672
2018-11-12 12:45:01 vgax17vr 1280692224 16649756672
2018-11-12 12:15:02 vgax16vr 1870192640 16649756672
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Mohsin123 can you please add a bit more detail to your question? I feel the above output is what your current query should be providing. If not please share current output and expected output. Also share your current query.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=idx_aprod (SwapFree OR MemoryTotal*) (host="*") source=Apigssor
| table _time host MemoryTotal SwapFree
Problem is :
multiselct tokens:
these are fields : (SwapFree OR MemoryTotal*)
host is a field : (host="")
host i can display as stats table , but when i am passing fields like swap/memory* as tokens how to extract them and display as coloiumn values ...
hope u understand...if u wont mind, can u share your phone number
My results :
_time host MemoryTotal SwapFree
2018-11-13 15:00:02 vgax77vr 16649756672 9793662976
2018-11-13 15:00:02 vgax29vr 16649756672 9746841600
2018-11-13 15:00:01 vgax22vr 16649756672 10090438656
2018-11-13 15:00:02 vgax78vr 16649756672 9784999936
2018-11-13 15:00:01
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the results i am getting under host are values for the token host .
but memory* and Swap* are the field names i am [passing as tokens .
And i want to display their values for each host .
is there a way to create a new field for each token ...like $1=memoryfree , $2=swapfree
and i can display | table host $1 $2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we create fields to tokens , here i want to create fields /colomns for each token value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Mohsin123 seems like the table output in your question is your current search result. Can you show example of expected search result? Also use Code button 101010 to post SPL and data so that special characters do not escape.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith.nair
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
