I have a lot of RAW data with this format:
date_time,serverA,down
date_time,serverB,down
date_time,serverA,down
date_time,serverA,down
date_time,serverA,up
date_time,serverB,up
How to count that raw data so we can have the following result?
server | up | down|
serverA | 1 | 3 |
serverB | 1 | 1 |
Thanks,
Andi
@ndiphe13, following is a run anywhere search based on the sample data and output provided in the question. The commands from | makeresults
till | rename data as _raw
generate the mock data. You can use your base search instead.
| makeresults
| eval data="date_time,serverA,down;date_time,serverB,down;date_time,serverA,down;date_time,serverA,down;date_time,serverA,up;date_time,serverB,up"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| makemv _raw delim=","
| eval server=mvindex(_raw,1),status=mvindex(_raw,2)
| chart count over server by status
PS: Since you already have command delimited data, you can use props.conf
to generate the fields server and status during search time. That way you will not require makemv
and eval
commands
<YourBaseSearch>
| chart count over server by status
@ndiphe13, following is a run anywhere search based on the sample data and output provided in the question. The commands from | makeresults
till | rename data as _raw
generate the mock data. You can use your base search instead.
| makeresults
| eval data="date_time,serverA,down;date_time,serverB,down;date_time,serverA,down;date_time,serverA,down;date_time,serverA,up;date_time,serverB,up"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| makemv _raw delim=","
| eval server=mvindex(_raw,1),status=mvindex(_raw,2)
| chart count over server by status
PS: Since you already have command delimited data, you can use props.conf
to generate the fields server and status during search time. That way you will not require makemv
and eval
commands
<YourBaseSearch>
| chart count over server by status
Thanks @niketnilay for your great sharing. Ive done some changes in the props.conf and transform.conf. The output is exactly what I am expected.
props.conf
[syslog]
REPORT-fields=commafields
transform.conf
[commafields]
DELIMS = ","
FIELDS = date_time, server, sensor, status, remark
My Search
<MyBaseSearch> | chart count over server by status
Perfect!!! Way to go. 🙂