- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- extract value with matching multiple fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i have events like below,
domain=abc, sever=abc_s1,status=running
domain=abc, server=abc_s2,status=shutdown
domain=xyz, sever=xyz_s1,status=running
domain=xyz, server=xyz_s2,status=shutdown
I want to create a table like below with new fields instance1 and instance2, where instance1 should have the value of status for ($domain)_s1 . and instance2 should have the value of status for $domain_s2
can be this achievable?
domain instance1 instance2
abc running shutdown
xyz running shutdown
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
your current search giving fields domain, server, status
| eval instance="instance".replace(server,"(.+)(\d)$","\2")
| chart values(status) over domain by instance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This inserts your sample data
|makeresults
| eval mydata=mvappend("domain=abc, server=abc_s1,status=running",
"domain=abc, server=abc_s2,status=shutdown",
"domain=xyz, server=xyz_s1,status=running",
"domain=xyz, server=xyz_s2,status=shutdown")
| mvexpand mydata
This turns it into the requested chart-
| rex field=mydata "domain=(?<mydomain>[^,]*),\s*server=(?<myserver>[^_]*_(?<myinstance>[^,]+)),\s*status=(?<mystatus>.*)"
| chart first(mystatus) as status over mydomain by myinstance
With the results looking like this -
mydomain s1 s2
abc running shutdown
xyz running shutdown
I've assumed that your server names are constructed by domain name, an underscore, and the instance name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
your current search giving fields domain, server, status
| eval instance="instance".replace(server,"(.+)(\d)$","\2")
| chart values(status) over domain by instance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
got partial results.
I am getting the output in like below format. but it's not showing two different columns with instance1 and instance2
domain NULL
abc running
xyz running
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
also, is it "server" or "sever"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works fine based on your sample data (see this run anywhere sample). It seems the format of server is different causing the replace function to fail and return NULL. Could you provide some real sample values of the field server? Do they end with a number like in question?
| gentimes start=-1 | eval temp="abc,abc_s1,running abc,abc_s2,down xyz,xyz_s1,running xyz,xyz_s2,running" | table temp | makemv temp | mvexpand temp | rex field=temp "(?<domain>.+),(?<server>.+),(?<status>.+)" | fields - temp | eval instance="instance".replace(server,"(.+)(\d)$","\2") | chart values(status) over domain by instance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sry given wrong field name. now it's worked perfectly as expected.
worked query:
your current search giving fields domain, server, status
| eval instance="instance".replace(server,"(.+)(\d)$","\2")
| chart values(status) over domain by instance
Thank you
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
