Please look at this example :
|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 | eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 | eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 | eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
Results :
I would like to add some pipes to change the result like this:
|Application|TX_P1 |TX_P2 |TX_P3 |TX_P4 |
| App1 |0/1(100%)|5/10(50%) |50/100(50%) |500/1000(50%) |
| App2 |1/2(50%) |15/20(25%)|150/200(25%)|1500/2000(25%)|
Thanks to @maciep and @renjith.nair
I didn't know the foreach command.
|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000
| eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20
| eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1
| eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
| streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
| where Source="inc"
| foreach TX_* [eval new_<<MATCHSTR>>=<<FIELD>>."/".PREV_<<MATCHSTR>>." (".(100-(100*(<<FIELD>>/PREV_<<MATCHSTR>>)))."%)"]
| foreach new_* [eval TX_<<MATCHSTR>>=<<FIELD>>]
| fields - PREV_*, new_*, Source, _time
Regards,
Thanks to @maciep and @renjith.nair
I didn't know the foreach command.
|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000
| eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20
| eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1
| eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
| streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
| where Source="inc"
| foreach TX_* [eval new_<<MATCHSTR>>=<<FIELD>>."/".PREV_<<MATCHSTR>>." (".(100-(100*(<<FIELD>>/PREV_<<MATCHSTR>>)))."%)"]
| foreach new_* [eval TX_<<MATCHSTR>>=<<FIELD>>]
| fields - PREV_*, new_*, Source, _time
Regards,
@mclane1, glad it worked. If any of the answers or comments helped you, feel free to vote
Do you want all these columns separated by | in one single column?
No, just columns without "|" I don't find how to make an array in this tools
@mclane1,
|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000
| eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20
| eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1
| eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
|streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
|where Source="inc"
|eval X1=100-(TX_P1*100)/PREV_P1,TX_P1=TX_P1."/".PREV_P1."(".X1."%)",
X2=100-(TX_P2*100)/PREV_P2,TX_P2=TX_P2."/".PREV_P2."(".X2."%)",
X3=100-(TX_P3*100)/PREV_P3,TX_P3=TX_P3."/".PREV_P3."(".X3."%)",
X4=100-(TX_P4*100)/PREV_P4,TX_P4=TX_P4."/".PREV_P4."(".X4."%)"
|fields - PREV*,_time,Source,X*