Splunk Search

how to show a table in if

Mohsin123
Path Finder

My question is :
i have output in this format :
a _time
b _time
a _time
b _time

i want all these outputs alone with a coloumn that gives the _time (as start time) for only b type rows

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi shraddhamuduli,
I don't know the fields you extracted, anyway, if "a" column name is "fieldA", try something like this:

your_search fieldA="b"
| table _time

Bye.
Giuseppe

View solution in original post

0 Karma

Mohsin123
Path Finder

its like this :

Starting Acquisition Sources Database source '20170924'SourceQuery_0 for DataSource 'Transaction' and Domain(s) TMS

Commit of Processing State started for Domain 'TMS' and OrgUnit '-FR'
Starting Acquisition Sources Database source '20170924'SourceQuery_0 for DataSource 'Transaction' and Domain(s) TMS
Commit of Processing State started for Domain 'TMS' and OrgUnit '-MM'

these are 4 rows ...
my job is clubbed like this, first is the database acquisition(this is the start time) , next is the commit of processing state started . Ex; For job FR , my job start time is the time for database acquisition . and then the job starts at commit of processing time..but my actual time the job FR started in system is the one for database aqcuisition .....

0 Karma

inventsekar
Ultra Champion

current output -
a _time
b _time
a _time
b _time

if you want the output be like -
b _time
b _time

 your_search fieldB="b"
 | table fieldB _time

or, please update us your current query which gives the output as you shown on the question.. then we can edit that query..

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi shraddhamuduli,
I don't know the fields you extracted, anyway, if "a" column name is "fieldA", try something like this:

your_search fieldA="b"
| table _time

Bye.
Giuseppe

0 Karma

Mohsin123
Path Finder

its like this :

Starting Acquisition Sources Database source '20170924'SourceQuery_0 for DataSource 'Transaction' and Domain(s) TMS

Commit of Processing State started for Domain 'TMS' and OrgUnit '-FR'
Starting Acquisition Sources Database source '20170924'SourceQuery_0 for DataSource 'Transaction' and Domain(s) TMS
Commit of Processing State started for Domain 'TMS' and OrgUnit '-MM'

these are 4 rows ...
my job is clubbed like this, first is the database acquisition(this is the start time) , next is the commit of processing state started . Ex; For job FR , my job start time is the time for database acquisition . and then the job starts at commit of processing time..but my actual time the job FR started in system is the one for database aqcuisition .....

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...