Splunk Search

Splicing events with the same time stamp together

tristanmatthews
Path Finder

Hi,

I have a weird data structure I'm trying to figure out a better way to handle. The data I'm getting uses category and type fields to tell me what the counts mean. Right now its set up to work something like this, where I do a fair amount of logic to get the counts I want. (but there are actually a lot more categories, types, and logic):

index=counts
| eval count_a=case(category=1 AND type='A', count1, category=2 AND type='A', count2)
| eval count_b=case(category=1 AND type='B', count3, category=2 AND type='B', count4)
| table _time, count_a, count_b

This gives me results like

     _time,                      count_a,    count_b

1 10/26/13 8:15:00.201 PM, [BLANK], 50

2 10/26/13 8:15:00.201 PM, 65, [BLANK]

3 10/26/13 8:00:00.201 PM, [BLANK] , 43

4 10/26/13 8:00:00.201 PM, 78, BLANK]....

The [BLANK]s are literally blank, because not every line if the file has data for each type of count I'm interested in. After all the logic I have count fields for all the counts and every time step has a value for each count, but they are split over multiple lines. Is there a way to combine them so that I can get table with out blanks in it? Like

     _time,                      count_a,    count_b

1 10/26/13 8:15:00.201 PM, 65, 50

2 10/26/13 8:00:00.201 PM, 78 , 43....

Thanks,
Tristan

Tags (2)
0 Karma
1 Solution

Ayn
Legend

Either setup a transaction based on _time:

index=counts | eval count_a=case(category=1 AND type='A', count1, category=2 AND type='A', count2) | eval count_b=case(category=1 AND type='B', count3, category=2 AND type='B', count4) | transaction _time | table _time, count_a, count_b

Or for better performance, use stats.

index=counts | stats count(eval(category=1 AND type='A')) as count1, count(eval(category=2 AND type='A')) as count2 by _time

View solution in original post

Ayn
Legend

Either setup a transaction based on _time:

index=counts | eval count_a=case(category=1 AND type='A', count1, category=2 AND type='A', count2) | eval count_b=case(category=1 AND type='B', count3, category=2 AND type='B', count4) | transaction _time | table _time, count_a, count_b

Or for better performance, use stats.

index=counts | stats count(eval(category=1 AND type='A')) as count1, count(eval(category=2 AND type='A')) as count2 by _time

tristanmatthews
Path Finder

ok I fell silly, transaction was the first thing I tried, but clearly I miss read it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...