Hi Splunkers,
I have a table with values, obviously ^^ and I am trying to get certain data out of a certain column and row combaination.
For example (just an example): First of all, I want to extract the data out of column "RXbytes" and row "eth0". Secondly, I want that value placed within a phrase i.e. "The value you are looking for is" + 12288679.
Name MAC inetAddr RXbytes TXbytes Speed Duplex
bond0 00:67:56:89:43:f9 195.173.161.79 268927778 202019587 null null
eth0 00:67:56:89:43:f9 null 12288679 0 10000Mb/s null
eth1 00:67:56:89:43:f9 null 256639339 202021063 1000Mb/s Full
sourcetype=interfaces | multikv| table Name MAC inetAddr RXbytes TXbytes Speed Duplex
I heard about a results[i]field
command/statement or function, but unfortunately I cannot find any references. I am probably approaching the research the wrong way and therefore I hope someone here can point me at the right direction.
Many thanks in advance.
Best regards
Mike
Well to restate, you want to filter those results by this search:
search Name="eth0"
and then display the "RXbytes" value of the row (or rows) that match.
I think the results[i]field thing that you're mentioning is functionality in the HTML module of Sideview Utils -- within the Sideview HTML module you can refer to $results[0].RXbytes$
and it will go and fetch the value of the RXbytes field, from the first row of results.
So here's a simple config that would display that text in a dashboard:
<module name="PostProcess">
<param name="search">search name="eth0" | stats sum(RXbytes) as RXbytes</param>
<module name="HTML">
<param name="html"><![CDATA[
The value that you are looking for is $results[0].RXbytes$
]]></param>
<module>
<module>
For more complex cases the ResultsValueSetter module can come in handy but it would be overkill here.
I should also say that you can do similar things just with core Splunk and the SingleValue module, but I think you'll find the HTML module both easier to use and more powerful.
Remember to get the latest Sideview Utils app from the Sideview website. It's free for internal use and the version there (2.3.X) is much newer than the old version on Splunkbase (1.3.5)
Well to restate, you want to filter those results by this search:
search Name="eth0"
and then display the "RXbytes" value of the row (or rows) that match.
I think the results[i]field thing that you're mentioning is functionality in the HTML module of Sideview Utils -- within the Sideview HTML module you can refer to $results[0].RXbytes$
and it will go and fetch the value of the RXbytes field, from the first row of results.
So here's a simple config that would display that text in a dashboard:
<module name="PostProcess">
<param name="search">search name="eth0" | stats sum(RXbytes) as RXbytes</param>
<module name="HTML">
<param name="html"><![CDATA[
The value that you are looking for is $results[0].RXbytes$
]]></param>
<module>
<module>
For more complex cases the ResultsValueSetter module can come in handy but it would be overkill here.
I should also say that you can do similar things just with core Splunk and the SingleValue module, but I think you'll find the HTML module both easier to use and more powerful.
Remember to get the latest Sideview Utils app from the Sideview website. It's free for internal use and the version there (2.3.X) is much newer than the old version on Splunkbase (1.3.5)
works like a charm!!! Thank you very much. Also I will look into the suggested ResultsValueSetter.