- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to split data based on a field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to split data based on a field
I have the following query:
ns=name* TEST_DECISION
PRODUCT IN (PRODUCT1)
| timechart span=1d limit=0 count by TEST_DECISION
| eval total= VALID+INVALID
| eval VALID=round(VALID/total,4)*100
| eval INVALID=round(INVALID/total,4)*100
| fields - total
The output is as follows:
_time FAILED VALID INVALID OTHERS
2020-04-14 21 90.97 9.03 727
I have multiple products and that data is getting merged here thus I end up doing it 1 product at a time as seen in the query above (2nd line -> PRODUCT IN (PRODUCT1) ).
I have about 15 products. Is there a way I could modify the above query to achieve the following?
Doubt it but if relevant, products will be named like (CH1276578, FH7623138, DD81236812) .
_time FAILED VALID INVALID OTHERS. Product
2020-04-14 21 90.97 9.03 727. Product 1
2020-04-14 11 80.85 19.15 700. Product 2
2020-04-14 09 78.97 21.03 712. Product 3
...
Please advice. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ns=name* TEST_DECISION
PRODUCT IN (PRODUCT1)
| bin span=1d _time
| stats count by _time TEST_DECISION PRODUCT
| eval time=_time.PRODUCT
| fields - PRODUCT _time
| xyseries time TEST_DECISION count
| eval total= VALID+INVALID
| eval VALID=round(VALID/total,4)*100
| eval INVALID=round(INVALID/total,4)*100
| rex field=time "(?<_time>\d+)(?<PRODUCT>.*)"
| fields - total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This does split it up but I lose all my evals I was calculating % for VALID INVALID above which worked before.
I end up with only 3 columns now.
TEST_DECISION PRODUCT. count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't see your results. what's result values?
but, I modify answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@angersleek
try this
ns=name* TEST_DECISION
PRODUCT IN (PRODUCT1)
| timechart span=1d limit=0 count by TEST_DECISION PRODUCT
| eval total= VALID+INVALID
| eval VALID=round(VALID/total,4)*100
| eval INVALID=round(INVALID/total,4)*100
| fields - total
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Think issue with syntax, can't do TEST_DECISION PRODUCT (2 variables) here it seems.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @angersleek
try like this |where Product in ["CH1276578"," FH7623138","DD81236812"]
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could but that will not split it up. That would just give same results where all data for all products is merged. I want them to show individually for each product similar to the last table I posted above.
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
