I have parent child relation data in splunk (based on dbid field)
Few information about events
--> above example is for one parent child relationship, my actual data is deep till 9 level (parent to child to child to child..... upto 9 level)
--> one parent have three kind of children (say network component might have two child called ports, fabric_interconnect, Chassis)
Note below tree which show parent child relationship (dbid4 and dbid4.1 are children of dbid3, dbid2 and dbid6 are children of dbid1, dbid7 dbid7.1 and dbid7.2 are children of dbid6) - each dbid below represent one actual event in splunk which has much more data
dbid1(Block) --> dbid2(Compute) --> dbid3(CPU Rack) --> dbid4(CPU) --> dbid5(Core)
--> dbid6(Network) --> dbid7(Chassis) --> dbid8(SubChassis)
Given above data my requirement is to create parent child dbid lookup table like below
Block Compute CPU_Rack CPU Core FAN
dbid1 dbid2 dbid3 dbid4 dbid5
dbid1 dbid2 dbid3 dbid4.1
Seperate table for another loopup for second subchild of root element Block
Block Network Chassis SubChassis Port NIC
dbid1 dbid6 dbid7 dbid8
dbid1 dbid6 dbid7.1
dbid1 dbid6 dbid7.2
Offcourse above table should be in .csv format
So that i can fulfill the requirement of listing all FAN in my compute resource, Or find out all NIC and Ports which belongs to particular Network components
Any query\command or input is helpful to make required lookup table so that quering events can be easy
Thanks and Best Regards
- Shreyans Soni
If there's no further information in the layout, then there's no way to accurately give you what you want. With regard to the nodes, there is no way to distinguish between the Port and the NIC. Both have the same parent and no children.
What other information is present in the nodes?
So that the community can help you with this, I'm providing the following "run anywhere code" to create test data. It creates four layouts, a through d, that match your nodes.
| makeresults | eval myfields="Block Compute CPURack CPU FAN Core Network Chassis Port NIC SubChassis" | makemv myfields | eval mydata="a10!a20!a30!a40!a41!a50!a60!a70!a71!a72!a80 b10!b20!b30!b40!b41!b50!b60!b70!b71!b72!b80 c10!c20!c30!c40!c41!c50!c60!c70!c71!c72!c80 d10!d20!d30!d40!d41!d50!d60!d70!d71!d72!d80" | makemv mydata | mvexpand mydata | makemv delim="!" mydata | eval compName=mvzip(myfields,mydata,"=") | eval mylinks="10,7 9,6 8,6 7,6 6,0 5,3 4,2 3,2 2,1 1,0 0,0" | makemv mylinks | mvexpand mylinks | makemv delim="," mylinks | eval dbid=mvindex(mydata,tonumber(mvindex(mylinks,0))) | eval parentdbid=mvindex(mydata,tonumber(mvindex(mylinks,1))) | eval parentdbid=if(parentdbid=dbid,null(),parentdbid) | eval compName=mvindex(compName,tonumber(mvindex(mylinks,0))) | sort 0 dbid | table dbid parentdbid compName
With different letters for each set of events, the output looks like this
dbid parentdbid compName a10 Block=a10 a20 a10 Compute=a20 a30 a20 CPURack=a30 a40 a30 CPU=a40 a41 a30 FAN=a41 a50 a40 Core=a50 a60 a10 Network=a60 a70 a60 Chassis=a70 a71 a60 Port=a71 a72 a60 NIC=a72 a80 a70 SubChassis=a80
text formatting of this site is showing different output than preview
please read two tables in question like below
dbid4.1 is below column FAN
dbid7.1 is below column Core (chassis, subchassis column are empty for this row)
dbid7.2 is below column NIC (chassis, subchassis column are empty for this row)
Use the "code" button -- the one marked 101 010 -- to mark your code or table layouts so that the web interface doesn't smash them all together. I make out your tree to look like this.
1) Is this correct?
2) is this always the exact relationship of the nodes, or can there be other types of events mixed in as well?
dbid compname 1 Block 2 Compute 3 CPU Rack 4 CPU 4.1 FAN 5 Core 6 Network 7 Chassis 7.1 Port 7.2 NIC 8 SubChassis 1->(2,6) 2-> 3 3-> (4,4.1) 4-> 5 6->(7,7.1,7.2) 7->8