i have this search
index=cmedia sourcetype="adspecificsnmp"
| rex field=_raw mode=sed "s/=,/=NA,/g"
| rex field=_raw max_match=0 "(?(\d+\.)+)(?\d+)=(?[^,]+)"
| eval tempString=mvzip(sP, (mvzip (sS, sV, "~")), "~")
| mvexpand tempString
| rex field=tempString "(?[^~]+)~(?[^~]+)~(?(.*))"
| eval myString=stringPrefix."".stringSuffix
| lookup ACMCodes.csv Suffix as stringSuffix OUTPUT Description as description
| table description, stringValue
this is partial result. there are 28 values in all
description, stringValue
1 Version , 2
2 Box , 0
3 Port , 0
4 NodeNumber, 1
5 PositioinofSpot, 1
6 ScheduleSpotPosition, 1
7 EventPosition, 4
8 FramesPerSec, 30
9 Owner, 0
i need the description as a field with value of stringValue
Version , Box , Port, NodeNumber, PositionofSpot,
2 , 0 , 0 , 1 , 1 ,
i hope this makes sense
A bit shoestringed here but what if you try
|chart list(stringValue) over stringValue by description|stats list(*) as *|fields - stringValue
For example in the following test search -
|stats count|fields - count|eval description="Version ,", stringValue="2"|append [|stats count|fields - count|eval description="Box ,", stringValue="0"]|chart list(stringValue) over stringValue by description|stats list(*) as *|fields - stringValue
Version and Box should show up in the same row.
Hi rwiley,
did you tried with the transpose
command?
Bye.
Giuseppe
A bit shoestringed here but what if you try
|chart list(stringValue) over stringValue by description|stats list(*) as *|fields - stringValue
For example in the following test search -
|stats count|fields - count|eval description="Version ,", stringValue="2"|append [|stats count|fields - count|eval description="Box ,", stringValue="0"]|chart list(stringValue) over stringValue by description|stats list(*) as *|fields - stringValue
Version and Box should show up in the same row.
thanks Flynt! just what i needed. sorry to take so long on reply. got pulled to another project.
How about you try |eval {description,}=stringValue
right at the end which will create a field name for each description,
which it sees and then tabulate that using | table (*,)
Explanation here for the eval expression above
index=cmedia sourcetype="adspecificsnmp"
| rex field=_raw mode=sed "s/=,/=NA,/g"
| rex field=_raw max_match=0 "(?(\d+\.)+)(?\d+)=(?[^,]+)"
| eval tempString=mvzip(sP, (mvzip (sS, sV, "~")), "~")
| mvexpand tempString
| rex field=tempString "(?[^~]+)~(?[^~]+)~(?(.*))"
| eval myString=stringPrefix."".stringSuffix
| lookup ACMCodes.csv Suffix as stringSuffix OUTPUT Description as description
| eval {description,}=stringValue
| table (*,)
This works. but it doesn't bring it in in one row. it brings in the value for stringValue but the rest of the row is empty.
example:
Date SpotID Zone Channel
1 date
2 478393
3 CNN
4 zone
i was hoping to get this
Date SpotID Zone Channel
1 date 478393 zone CNN