Splunk Search

Transform a table and error code when using a perl script

Fabien05
Explorer

Hello all,

1) I would like to have a matrix of correlation (with |correlate) for the attribute (more than 20) of my table. I have a table like this:

Date...........Occurences...........Attribute

10/05/2013...........1100...............Attri1

10/05/2013............537...............Attri2

10/05/2013............837...............Attri3

11/05/2013...........1218...............Attri1

11/05/2013............496...............Attri2

11/05/2013............868...............Attri3

Is it possible to obtain this table with splunk commands?

......Date.........Attri1.........Attri2.........Attri3

10/05/2013...........1100............537............837

11/05/2013...........1218............496............868

specification: Date, ATTR1 and ATTR2 are the name of columns

2) I tryed to use a perl script and I obtain this error code:

"External search command 'test' returned error code 2"

What do I make ?

0 Karma

chris
Motivator

Based on the table you have you can just add the following to your search:

| timechart span=1d last(Occurences) by Attribute

I'm assuming that the table is created by a splunk search and that the Date column is the _time field.

0 Karma

chris
Motivator

If, you have further questions let me know.

0 Karma

Fabien05
Explorer

Thank you !

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...