Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- With multiple `appendpipes` how do I specify the n...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HattrickNZ
Motivator
05-02-2018
07:14 PM
With multiple appendpipes how do I specify the number of rows above I want to apply it to?
| makeresults
| eval data = "
1 2017-12 A 155749 131033 84.1;
2 2017-12 B 24869 23627 95;
3 2017-12 C 117618 117185 99.6;
"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
| fields + date serial type attempts successfullAttempts sr
| rename date as _time
| search serial=*
| appendpipe [stats avg(sr) as sr | eval sr=round(sr,1) | eval successfullAttempts="average sr"]
| appendpipe [stats sum(sr) as sr | eval sr=round(sr,1) | eval successfullAttempts="sum sr"]
| appendpipe [stats sum(sr) as sr | eval sr=round(sr-92.7-370.7,1) | eval successfullAttempts="This is what I want - just the first 3 values of sr 84,95,and 99"]
OUTPUT looks like this:
I have lined up the sr column as that is the column of interest(seperate q does anyone know how best to format a table here?)
How would I get a value of 278 in row 6 if I did not know the values of row 4 and 5??
_time serial type attempts successfullAttempts sr
1 2017-12 1 A 155749 131033 84
2 2017-12 2 B 24869 23627 95
3 2017-12 3 C 117618 117185 99
4 average sr 92.7
5 sum sr 370.7
6 This is what I want - just the first 3 values of sr 84,95,and99 278.0
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-02-2018
08:12 PM
Like this:
| makeresults
| eval data = "
1 2017-12 A 155749 131033 84.1;
2 2017-12 B 24869 23627 95;
3 2017-12 C 117618 117185 99.6"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
| fields + date serial type attempts successfullAttempts sr
| rename date as _time
| search serial=*
| multireport
[ rename COMMENT AS "This just passes data through" ]
[ stats avg(sr) AS sr
| eval sr=round(sr,1)
| eval successfullAttempts="average sr" ]
[ stats sum(sr) AS sr
| eval sr=round(sr,1)
| eval successfullAttempts="sum sr" ]
| table _time serial type attempts successfullAttempts sr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-02-2018
08:17 PM
THANK YOU for supplying BOTH generated sample data AND a clear mockup of your desired output. THAT is how you get answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-02-2018
08:12 PM
Like this:
| makeresults
| eval data = "
1 2017-12 A 155749 131033 84.1;
2 2017-12 B 24869 23627 95;
3 2017-12 C 117618 117185 99.6"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
| fields + date serial type attempts successfullAttempts sr
| rename date as _time
| search serial=*
| multireport
[ rename COMMENT AS "This just passes data through" ]
[ stats avg(sr) AS sr
| eval sr=round(sr,1)
| eval successfullAttempts="average sr" ]
[ stats sum(sr) AS sr
| eval sr=round(sr,1)
| eval successfullAttempts="sum sr" ]
| table _time serial type attempts successfullAttempts sr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HattrickNZ
Motivator
05-03-2018
07:12 PM
tks, so multireport is what I am looking for instead of appendpipe. It would have been good if you included that in your answer, if we giving feedback. But other than that a pretty comprehensive answer. THANK YOU 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HattrickNZ
Motivator
05-03-2018
07:43 PM
Also, this line is required [ rename COMMENT AS "This just passes data through" ]. Take it out and it will not work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HattrickNZ
Motivator
05-03-2018
08:02 PM
And | table _time serial type attempts successfullAttempts sr is not required.
Get Updates on the Splunk Community!
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
