Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my search to separate values in a column into two columns in my resulting table?

prashanthberam
Explorer
‎12-14-2016 01:38 PM

I have the table like this:

time           info    id     response time
start time1    in      571          
end time1      out     571    10.01
start time2    in      560               
end time2      out     560    11.01

but I want to display it like this:

starttime1     end time1     id     responsetime
starttime2     end time2     id     responsetime

My search is like this:

index=**** source="*****_****"   "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Outbound Message" OR "Inbound Message" |rex "(?.{23})"|rex field=_raw "INFO  :(?.*)"|rex field=_raw "ID:(?.*)"|sort _time|streamstats current=f last(_time) as LastTime by ID,source|eval ResponseTime=_time-LastTime|sort -ID|table Time,INFO,ID,ResponseTime

I have attached the table pic too.
alt text
Can anybody help please? Thanks in advance.

Preview file
1 KB
0 Karma
Reply

sundareshr
Legend
‎12-14-2016 04:18 PM

Try this

index=**** source="*****_****"   "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Outbound Message" OR "Inbound Message" | rex "(?<info>Inbound|Outbound)" | rex "ID:(?<id>.*)" | chart earliest(_time) as time over id by info | eval responsetime=outbound-inbound | eval responsetime=tostring(responsetime, "duration") | convert ctime(*bound) AS *bound
0 Karma
Reply

prashanthberam
Explorer
‎12-14-2016 05:52 PM

Thanks sundar..it looks somewhat working but I have duplicates in the id's but when am searching the different sources I can achieve that cloud you please tell me where I can include source in my code.

0 Karma
Reply

sundareshr
Legend
‎12-15-2016 03:07 AM

What do you mean "duplicates in the id"? Try adding this before the chart segment. | eval id=source."::".id

0 Karma
Reply

snoobzilla
Builder
‎12-14-2016 01:50 PM 
| eval starttime=if(INFO="Inbound Message", Time, null())
| eval endtime=if(INFO="Outbound Message", Time, null()
| stats values(starttime) AS starttime values(endtime) AS endtime values(ResponseTime) by ID

Above should get you close.

0 Karma
Reply

prashanthberam
Explorer
‎12-14-2016 05:53 PM

yes ...they have duplicates id's

0 Karma
Reply

prashanthberam
Explorer
‎12-14-2016 02:14 PM

am not getting any results in the Time field..

0 Karma
Reply

snoobzilla
Builder
‎12-14-2016 03:27 PM

You had a Time field in the table, was assuming you would append what I posted onto your query.

Are the IDs unique or do they repeat? Whats max response time? How many events would you search over... if only a few thousand transaction could be a good fit.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...