Hi,
I am trying to display some test results and by using following search string I am getting what I want:
… | chart count(eval(testStepStatus=="FAIL")) by Datum, systemIDPair
Here please see the attachment to get idea how it looks like:
http://i.imgur.com/Jhls1xO.jpg
But since the requirements have been changed, I need to put not the numbers in table cells but strings(hold in field resultString) like “1,1,0,-” so I should/would change search string into something like:
… | chart first(resultString) by Datum, systemIDPair
Where resultString
can have some special character arrays like “1,1,0,-” or “1,0,0,1” or like this “-,-,-,-”.
So is it possible to create “Statistic-Tab-View" with Splunk chart function having in the cells such “strings” and not just numbers(string can give more information as just single number) ?
(Edited)
So for example if events in Splunk Index are following:
Datum resultString systemIDPair
01.012015 "1,1,0,-" "1/01"
01.012015 "1,0,0,1" "1/04"
01.012015 "-,-,-,-" "1/05"
02.012015 "0,1,0,-" "1/01"
02.012015 "0,0,0,1" "1/04"
02.012015 "0,-,-,-" "1/05"
...
I do expect table view as following:
http://i.imgur.com/7IC3fmu.jpg
Best regards,
Milan
I'm not 100% sure I understand the question, but if I am reading it correctly I think you can do what you want.
The things to look at are using the eval function (specifically probably "case" but others may apply too) or rex to build strings based on... well, on whatever you want, then once you have resultString done the way you want, there are many options for creating tables, calculating statistics or whatever you would like.
For instance, given a search like "index=_internal" returns a whole bunch of lines, some of which have "TailDatabaseMonitor", others which have "Scheduler" in them and others that have neither. Now, keep in mind this is pretty much a nonsense dataset, but it'll work for an example.
index=_internal | eval resultString=case(match(_raw,"TailDatabaseMonitor"),"ContainsItem1",match(_raw,"Scheduler"),"ContainsItem2",1==1,"ItemNeither")
That eval does a case statement (http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commonevalfunctions) using "match" to check if the various strings exist in the raw data. The last two items in the case, 1==1, "ItemNeither") sets up a default. 1 always equals one, so if nothing else matched then resultString gets set to ItemNeither.
After this, I have resultString that, for my past 60 minutes on this indexer gives 32000 events, 28000 of which are "ItemNeither", a few thousand ContainsItem1 and the remainder of a few hundred set to ContainsItem2. From there, all sorts of things are possible.
For instance, ...| stats count(resultString) by resultString,host
Gives
resultString host count(resultString)
ContainsItem1 hostA 2914
ContainsItem2 hostB 1
ContainsItem2 hostC 813
ItemNeither hostD 3980
ItemNeither hostB 3688
ItemNeither hostC 16630
ItemNeither hostE 3450
I'm not 100% sure I understand the question, but if I am reading it correctly I think you can do what you want.
The things to look at are using the eval function (specifically probably "case" but others may apply too) or rex to build strings based on... well, on whatever you want, then once you have resultString done the way you want, there are many options for creating tables, calculating statistics or whatever you would like.
For instance, given a search like "index=_internal" returns a whole bunch of lines, some of which have "TailDatabaseMonitor", others which have "Scheduler" in them and others that have neither. Now, keep in mind this is pretty much a nonsense dataset, but it'll work for an example.
index=_internal | eval resultString=case(match(_raw,"TailDatabaseMonitor"),"ContainsItem1",match(_raw,"Scheduler"),"ContainsItem2",1==1,"ItemNeither")
That eval does a case statement (http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commonevalfunctions) using "match" to check if the various strings exist in the raw data. The last two items in the case, 1==1, "ItemNeither") sets up a default. 1 always equals one, so if nothing else matched then resultString gets set to ItemNeither.
After this, I have resultString that, for my past 60 minutes on this indexer gives 32000 events, 28000 of which are "ItemNeither", a few thousand ContainsItem1 and the remainder of a few hundred set to ContainsItem2. From there, all sorts of things are possible.
For instance, ...| stats count(resultString) by resultString,host
Gives
resultString host count(resultString)
ContainsItem1 hostA 2914
ContainsItem2 hostB 1
ContainsItem2 hostC 813
ItemNeither hostD 3980
ItemNeither hostB 3688
ItemNeither hostC 16630
ItemNeither hostE 3450
Another option:
'..| timechart latest(resultString) by host'
In my example above gets a list structured much like what you showed in your latest screenshot. It has a feel of being delicate (may require certain "span=x" options and may only be "right" over certain time frames, and will definitely take some playing around to get it right, but this may be enough to get you on the right path.
Hi rich7177,
first thanks for giving your explanation. Did you took a look at my table here?
http://i.imgur.com/Jhls1xO.jpg
I could not upload picture directly here (because my credit is not so big). In my case I have variable systemIDPair having following values 1/01, 1/04, 1/05, ... on "vertical axis" and that is what I get automatically when I use chart function. What you did is making a table with some count in one raw but what I want it to make table with those special strings at the place of numbers. If events in Splunk Index are following:
Datum resultString systemIDPair
01.012015 "1,1,0,-" "1/01"
01.012015 "1,0,0,1" "1/04"
01.012015 "-,-,-,-" "1/05"
02.012015 "0,1,0,-" "1/01"
02.012015 "0,0,0,1" "1/04"
02.012015 "0,-,-,-" "1/05"
...
I do expect table view as following:
http://i.imgur.com/7IC3fmu.jpg
so as you can see elements in this tables are not counts or numbers but strings like: "1,1,0,-",...So my question is if it possible to create table with non number values ?
Best regards,
Milan
Thanks for clarifying. Might have something closer above.