Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

results returned in a variable field

lemikg
Communicator
‎02-05-2013 08:06 AM

Hi Splunkers,

I have a table with values, obviously ^^ and I am trying to get certain data out of a certain column and row combaination.

For example (just an example): First of all, I want to extract the data out of column "RXbytes" and row "eth0". Secondly, I want that value placed within a phrase i.e. "The value you are looking for is" + 12288679.

Name     MAC                 inetAddr         RXbytes        TXbytes     Speed       Duplex

bond0   00:67:56:89:43:f9    195.173.161.79   268927778      202019587   null        null

eth0    00:67:56:89:43:f9    null             12288679               0   10000Mb/s   null

eth1    00:67:56:89:43:f9    null             256639339      202021063    1000Mb/s   Full

sourcetype=interfaces | multikv| table Name  MAC inetAddr RXbytes TXbytes Speed Duplex

I heard about a results[i]field command/statement or function, but unfortunately I cannot find any references. I am probably approaching the research the wrong way and therefore I hope someone here can point me at the right direction.

Many thanks in advance.

Best regards
Mike

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-05-2013 10:07 AM

Well to restate, you want to filter those results by this search: 

search Name="eth0"

and then display the "RXbytes" value of the row (or rows) that match.

I think the results[i]field thing that you're mentioning is functionality in the HTML module of Sideview Utils -- within the Sideview HTML module you can refer to $results[0].RXbytes$ and it will go and fetch the value of the RXbytes field, from the first row of results.

So here's a simple config that would display that text in a dashboard: 

<module name="PostProcess">
  <param name="search">search name="eth0" | stats sum(RXbytes) as RXbytes</param>

  <module name="HTML">
    <param name="html"><![CDATA[
      The value that you are looking for is $results[0].RXbytes$
    ]]></param>
  <module>
<module>

For more complex cases the ResultsValueSetter module can come in handy but it would be overkill here.

I should also say that you can do similar things just with core Splunk and the SingleValue module, but I think you'll find the HTML module both easier to use and more powerful.

Remember to get the latest Sideview Utils app from the Sideview website. It's free for internal use and the version there (2.3.X) is much newer than the old version on Splunkbase (1.3.5)

http://sideviewapps.com/apps/sideview-utils

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-05-2013 10:07 AM

Well to restate, you want to filter those results by this search: 

search Name="eth0"

and then display the "RXbytes" value of the row (or rows) that match.

I think the results[i]field thing that you're mentioning is functionality in the HTML module of Sideview Utils -- within the Sideview HTML module you can refer to $results[0].RXbytes$ and it will go and fetch the value of the RXbytes field, from the first row of results.

So here's a simple config that would display that text in a dashboard: 

<module name="PostProcess">
  <param name="search">search name="eth0" | stats sum(RXbytes) as RXbytes</param>

  <module name="HTML">
    <param name="html"><![CDATA[
      The value that you are looking for is $results[0].RXbytes$
    ]]></param>
  <module>
<module>

For more complex cases the ResultsValueSetter module can come in handy but it would be overkill here.

I should also say that you can do similar things just with core Splunk and the SingleValue module, but I think you'll find the HTML module both easier to use and more powerful.

Remember to get the latest Sideview Utils app from the Sideview website. It's free for internal use and the version there (2.3.X) is much newer than the old version on Splunkbase (1.3.5)

http://sideviewapps.com/apps/sideview-utils

0 Karma
Reply
Solved! Jump to solution

lemikg
Communicator
‎02-06-2013 05:54 AM

works like a charm!!! Thank you very much. Also I will look into the suggested ResultsValueSetter.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...