I've search results something like this:
customerid tracingid API Status
1221 ab3d3 API1 200
1221 ab3d3 API2 400
1221 abcc2 API1 500
1222 abbd333 API1 200
1222 abbd333 API2 200
What I wanted is something like this:
customerid tracingid API1 API2
1221 ab3d3 200 400
1221 abcc2 500
1222 abbd333 200 200
I've tried something like what shown here: https://answers.splunk.com/answers/69108/query-results-with-field-values-as-column-header.html, but since I'm new to splunk search, I'm unable to find how do I get without counts.
@email2vimalraj
You can try any from below.
1)
| makeresults
| eval _raw=" customerid tracingid API Status
1221 ab3d3 API1 200
1221 ab3d3 API2 400
1221 abcc2 API1 500
1222 abbd333 API1 200
1222 abbd333 API2 200"
| multikv
| table customerid tracingid API Status | eval temp= customerid."-".tracingid
| xyseries temp API Status | eval customerid=mvindex(split(temp,"-"),0),tracingid=mvindex(split(temp,"-"),1) | fields - temp | table customerid tracingid *
2)
| makeresults
| eval _raw=" customerid tracingid API Status
1221 ab3d3 API1 200
1221 ab3d3 API2 400
1221 abcc2 API1 500
1222 abbd333 API1 200
1222 abbd333 API2 200"
| multikv
| table customerid tracingid API Status | eval {API}=Status | fields - API,Status | stats values(*) as * by customerid,tracingid
Thanks
@email2vimalraj
You can try any from below.
1)
| makeresults
| eval _raw=" customerid tracingid API Status
1221 ab3d3 API1 200
1221 ab3d3 API2 400
1221 abcc2 API1 500
1222 abbd333 API1 200
1222 abbd333 API2 200"
| multikv
| table customerid tracingid API Status | eval temp= customerid."-".tracingid
| xyseries temp API Status | eval customerid=mvindex(split(temp,"-"),0),tracingid=mvindex(split(temp,"-"),1) | fields - temp | table customerid tracingid *
2)
| makeresults
| eval _raw=" customerid tracingid API Status
1221 ab3d3 API1 200
1221 ab3d3 API2 400
1221 abcc2 API1 500
1222 abbd333 API1 200
1222 abbd333 API2 200"
| multikv
| table customerid tracingid API Status | eval {API}=Status | fields - API,Status | stats values(*) as * by customerid,tracingid
Thanks
@email2vimalraj ,
Try
"your search"|eval {API}=Status|fields - API,Status
|stats values(*) as * by customerid,tracingid