Solved: Help me with my usecase

sravankaripe · ‎05-04-2017

-------------------------------------| stats count by status | eval status=" Status: ".status.", Count : ".count | fields status

the search result is like this

status
----------
Status: 200, Count: 10
--------------------------------
Status: 400 Count: 20
--------------------------------

But i need to display like this...
----------
Status: 200
Count: 10
----------
Status: 400
Count: 20

Please help me with this use case

cmerriman · ‎05-04-2017

try ...|makemv delim="," Status

https://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Makemv

View solution in original post

DalJeanis · ‎05-04-2017

| makeresults | eval mystatus="200=10 400=20" | makemv mystatus | mvexpand mystatus 
| rex field=mystatus "(?<status>[^=]+)=(?<count>\d+)" 
| table status count 
| rename COMMENT as "The above just enters your test data up through the line '| stats count by status'." 

| rename COMMENT as "This formats the data into a multivalue field with three lines per status." 
| eval status=mvappend("---------------","Status: ".status,"Count: ".count) 
| table status

...with these results...

status
---------------
Status: 200
Count: 10
---------------
Status: 400
Count: 20

If you absolutely need a separator after the last one, then you can add this line at the end

| append [| makeresults | eval status="---------------"|table status]

alemarzu · ‎05-04-2017

Hi there, try something like this

main search | stats count by status | eval status=" Status: ".status.", Count : ".count | makemv delim="," Status | mvexpand Status

Hope it helps.

cmerriman · ‎05-04-2017

try ...|makemv delim="," Status

https://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Makemv

sravankaripe · ‎05-04-2017

got it thanks

Help me with my usecase

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!