operations or statistics on rows and cells in mult...

tippy · ‎04-19-2016

I have an entry in /var/log/messages which contains a string of multiple sets of 6 keypairs (pairdelim="," kvdelim=":" mv_add=true). This easily forms a table - and depending on the event - it will contain any number of rows.

i.e.

column1 column2 column3 column4 column5 column6
A1 B1 C1 D1 E1 F1
A2 B2 C2 D2 E2 F2 ...
An Bn Cn Dn En Fn

How can I perform operations which are based on the values in these rows, i.e. select the row where Column2 is B2 and tell me the value of Column6 (in this case, F2). Or add up all the F2's over time?

(Even clicking a table header cell (which would normally toggle a sort) does nothing for these multi-line events).

sundareshr · ‎04-20-2016

If the number of columns is constant and number of values per columns will always be the same across all columns, you could do something like this

your search here | eval z=mvzip(col1, mvzip(col2, mvzip(col3, mvzip(col4, col)))))  | table z | mvexpand z

With this you have have a table where each value is a separate row. You filter this data as you would any other. For example you could use addcoltotals to add up all F2s over time (http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Addcoltotals)

operations or statistics on rows and cells in multi-line event table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms