- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Set token from table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunker's:
I want to display the table result in a html And I have the problem:
suppose search result:
col1 col2
1 2
then
$result.col2$
will set value "2" for "$row1_col2$"
but if search result as:
col1 col2
1 2
3 4
how could i get the value of "row2_col2" ?
in Html i wante display
col2
2
4
Can you help please??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated: Answer based on details:
You can either post-process for seven different searches for each week day as a row... Or else try to play around with transpose/xyseries commands to have the results displayed in a single row
If you are performing stats count by Day, your transpose might look like the following:
<YourBaseSearch>
| stats count by Day
| transpose 7 header_field="Day" column_name="Day"
If the Day field values are Monday, Tuesday etc. They will become your new FieldNames and you can perform $result.Monday$ etc. Try to run your search with transpose and you should get the idea!
@FredericA...result.<fieldname> can only access field values from the first row or a search result with single row.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Search_event_tokens
How many rows do you expect your search to return and what is the kind of output that needs to be displayed in HTML? Would it still be tabular?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated: Answer based on details:
You can either post-process for seven different searches for each week day as a row... Or else try to play around with transpose/xyseries commands to have the results displayed in a single row
If you are performing stats count by Day, your transpose might look like the following:
<YourBaseSearch>
| stats count by Day
| transpose 7 header_field="Day" column_name="Day"
If the Day field values are Monday, Tuesday etc. They will become your new FieldNames and you can perform $result.Monday$ etc. Try to run your search with transpose and you should get the idea!
@FredericA...result.<fieldname> can only access field values from the first row or a search result with single row.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Search_event_tokens
How many rows do you expect your search to return and what is the kind of output that needs to be displayed in HTML? Would it still be tabular?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply,
I have 7 rows (Monday->sunday).
The HTML output as an table.
index=* | stats count by Day
token is value and day.
the Html is
""
""
Day ; value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the details. You should be able to pipe transpose to your existing query and it will become single row with Field Names as the Name of the Week Day and Count as the Field Values. See my Answer above. Please up vote and accept if your issue is resolved.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for your proposal, it works well.
In case the day name depends on the result (sort -count limit=3 for example), I can apply this solution you have an idea.?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ideally you should have asked a new question for this. But here is the updated answer based on your new question (Please try out and upvote if this solves your issue):
If you do not provide header_field to transpose function it gives them default names like "row 1", "row 2"... etc. So you can run your query to count by week day and then sort them descending by count. Since you can read results only by one row you would need to
index=_internal sourcetype=splunkd log_level="ERROR"
| stats count as CountByWeekDay by date_wday
| sort - CountByWeekDay
| eval CountByWeekDay= CountByWeekDay." (".date_wday.")"
| fields - date_wday
| transpose 7
You can then use $result.row 1$, $result.row 2$ etc to access the values. You can also add depends="$result.row 1$" etc to your HTML panel to hide them when they are not set. Otherwise, you will have to handle null results in your query itself to show zeros as the count fo a particular day.
Following could be one of the approaches (run anywhere search based on Splunks _internal index). I am appending zero count rows for each of the week day and then picking max of the result for the weekday.
index=_internal sourcetype=splunkd log_level="ERROR"
| stats count as CountByWeekDay by date_wday
| append [| makeresults
| eval date_wday="sunday"
| eval CountByWeekDay=0
| fields - _time]
| append [| makeresults
| eval date_wday="monday"
| eval CountByWeekDay=0
| fields - _time]
| append [| makeresults
| eval date_wday="tuesday"
| eval CountByWeekDay=0
| fields - _time]
| append [| makeresults
| eval date_wday="wednesday"
| eval CountByWeekDay=0
| fields - _time]
| append [| makeresults
| eval date_wday="thursday"
| eval CountByWeekDay=0
| fields - _time]
| append [| makeresults
| eval date_wday="friday"
| eval CountByWeekDay=0
| fields - _time]
| append [| makeresults
| eval date_wday="saturday"
| eval CountByWeekDay=0
| fields - _time]
| stats max(CountByWeekDay) as CountByWeekDay by date_wday
| sort - CountByWeekDay
| eval CountByWeekDay= CountByWeekDay." (".date_wday.")"
| fields - date_wday
| transpose 7
| makeresults | eval message= "Happy Splunking!!!"
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
