Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I merge 2 tabled rows and add field values from columns as new fields?

nidhsha2
New Member
‎02-27-2017 07:46 AM

I am looking to combine columns/values from row 2 to row 1 as additional columns. I am not sure which commands should be used to achieve this and would appreciate any help.

Example:

Current format
alt text

Desired format
alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-27-2017 09:13 AM

Give this a try

your current search giving fields Date A B C
| eventstats first(Date) as Date
| untable Date metrics data
| streamstats count by metrics | eval metrics=metrics."_".count
| xyseries Date metrics data

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-27-2017 01:08 PM

somesoni2's answer is perfect if either (1) you will only ever have 2 days in your search, or (3) however many days ARE returned, you want to display them all horizontally.

Where you have more than two days, this strategy will compare each day's results to the following day's.

This part just makes test data-

| makeresults 
| eval mydata="7/1/2016,1,2,3 7/2/2016,4,5,6 7/3/2016,7,8,9" 
| makemv mydata
| mvexpand mydata 
| makemv delim="," mydata
| eval Date = strptime(mvindex(mydata,0),"%m/%d/%Y")
| eval A=mvindex(mydata,1)
| eval B=mvindex(mydata,2)
| eval C=mvindex(mydata,3)
| table Date A B C

This part spreads each day's data into two sets, one to be the current day and one to compare with the prior day.

| eval switcher="left right"
| makemv switcher 
| mvexpand switcher
| eval Date=if(switcher="left",Date,Date-86400)
| eval A_2=if(switcher="left",Null(),A)
| eval A=if(switcher="left",A,Null())
| eval B_2=if(switcher="left",Null(),B)
| eval B=if(switcher="left",B,Null())
| eval C_2=if(switcher="left",Null(),C)
| eval C=if(switcher="left",C,Null())

This part collects it up and displays it.

| stats values(*) as * by Date 
| where like(A,"%") AND like(A_2,"%")
| eval DateDisplay=strftime(Date,"%Y-%m-%d")
| table DateDisplay A B C A_2 B_2 C_2
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-27-2017 09:13 AM

Give this a try

your current search giving fields Date A B C
| eventstats first(Date) as Date
| untable Date metrics data
| streamstats count by metrics | eval metrics=metrics."_".count
| xyseries Date metrics data
0 Karma
Reply
Solved! Jump to solution

nidhsha2
New Member
‎03-01-2017 07:27 AM

Thanks! This is exactly what I am looking for. The only issue I am hitting now is the last line....transforming to xyseries. I do not necessarily care about the date now but if I execute your last line I get "no results found".

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-01-2017 07:38 AM

So the xyseries command is failing? Do you get results with field name Date, metrics and data (case sensitive)? You can also replace xyseries command with following

| chart values(data) over Date by metrics
0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-27-2017 01:24 PM

Here's test code for the curious.

| makeresults 
| eval mydata="7/1/2016,1,2,3 7/2/2016,4,5,6" 
| makemv mydata
| mvexpand mydata 
| makemv delim="," mydata
| eval Date = strptime(mvindex(mydata,0),"%m/%d/%Y")
| eval A=mvindex(mydata,1)
| eval B=mvindex(mydata,2)
| eval C=mvindex(mydata,3)
| table Date A B C


| eventstats first(Date) as Date
| untable Date metrics data
| streamstats count by metrics 
| eval metrics=metrics."_".count
| xyseries Date metrics data
| eval DateDisplay=strftime(Date,"%Y-%m-%d")

Explanation of the code:

Everything before the space just creates test data.

Eventstats keeps only the earliest date , throwing away the unneeded date from the second record.

Untable creates records that (in this case) all have the same Date, each record with the field name in "metrics" and the field value in "data".

Streamstats determines a suffix for each field name so that the combined field name will be unique. This usage assumes the data for the earliest date will appear first in the underlying data.

Eval appends the suffix onto the field name in metrics in order to create the unique field name.

Being a belt and suspenders and duct-tape sort of a person, I dislike verbs and functions --first() and streamstats in this case-- that depend on an event order that I can't see by inspection of the code. I'd probably amend the code to this :

| sort 0 Date
| untable Date metrics data
| streamstats count by metrics 
| eval metrics=metrics."_".count
| eventstats min(Date) as Date
| xyseries Date metrics data
| eval DateDisplay=strftime(Date,"%Y-%m-%d")
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...