- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- xyseries in full mesh: How to have it fill values ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xyseries in full mesh: How to have it fill values A to Z with Z to A or vice versa?
I have a search that calculates latency in a full-mesh network, where each router has a direct connection to all of the other routers in the network. Latency is bidirectional, in other words latency between AAA-CCC is the same as CCC-AAA. I am able to generate a table but only AAA-CCC latency is showing and CCC-AAA is blank (this can be reversed depending on how source and destination was setup). How can I have CCC-AAA to show the same value as AAA-CCC instead of blank?
search ...
| eval Route=RouterA."_".RouterZ
| eventstats perc03(RTT) as RTT_03p, perc98(RTT) as RTT_98p BY Route
| where RTT >= RTT_03p and RTT <= RTT_98p
| stats min(RTT) as Latency values(RouterA) values(RouterZ) by Route
| xyseries values(RouterA) values(RouterZ) Latency
This is what I am getting:
values(RouterA) |AAA|BBB|CCC
AAA                    |       |027|012
BBB                    |       |      |    
CCC                   |       |010|    
This is what I want to see:
values(RouterA) |AAA|BBB|CCC
AAA                    |       |027|012
BBB                    |027|       |010
CCC                    |012|010|    
Thank you in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need the contingency command:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Contingency
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm 99% sure there's a better way to do this.
Rename values(RouterA) as column.
Then:
your search
| append [your search again|transpose 0 header_field=column]
|stats min(*) by column
Is outputting the main search to a lookup table an option? Then you could append it to a transpose of itself without running the search twice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks but your suggestion produced no results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you | rename values(RouterA) as column?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, there was a typo on my code. Your suggestion produced the same results as my original search and added a new row at the bottom labeled values(RouterA)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes I did.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
