Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I format the display of multiple cells per line?

mclane1
Path Finder
‎10-19-2018 08:03 AM

Please look at this example :

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 | eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 | eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 | eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application

Results :
Show result in splunk

I would like to add some pipes to change the result like this:

|Application|TX_P1    |TX_P2     |TX_P3       |TX_P4         |
| App1      |0/1(100%)|5/10(50%) |50/100(50%) |500/1000(50%) |
| App2      |1/2(50%) |15/20(25%)|150/200(25%)|1500/2000(25%)|
Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mclane1
Path Finder
‎10-24-2018 08:14 AM

Thanks to @maciep and @renjith.nair

I didn't know the foreach command.

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 
 | eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 
 | eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 
 | eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
 | streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
 | where Source="inc"
 | foreach TX_* [eval new_<<MATCHSTR>>=<<FIELD>>."/".PREV_<<MATCHSTR>>." (".(100-(100*(<<FIELD>>/PREV_<<MATCHSTR>>)))."%)"]
 | foreach new_* [eval TX_<<MATCHSTR>>=<<FIELD>>]
 | fields - PREV_*, new_*, Source, _time

Regards,

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mclane1
Path Finder
‎10-24-2018 08:14 AM

Thanks to @maciep and @renjith.nair

I didn't know the foreach command.

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 
 | eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 
 | eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 
 | eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
 | streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
 | where Source="inc"
 | foreach TX_* [eval new_<<MATCHSTR>>=<<FIELD>>."/".PREV_<<MATCHSTR>>." (".(100-(100*(<<FIELD>>/PREV_<<MATCHSTR>>)))."%)"]
 | foreach new_* [eval TX_<<MATCHSTR>>=<<FIELD>>]
 | fields - PREV_*, new_*, Source, _time

Regards,

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-24-2018 06:43 PM

@mclane1, glad it worked. If any of the answers or comments helped you, feel free to vote

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎10-19-2018 12:35 PM

Do you want all these columns separated by | in one single column?

0 Karma
Reply
Solved! Jump to solution

mclane1
Path Finder
‎10-24-2018 01:58 AM

No, just columns without "|" I don't find how to make an array in this tools

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-19-2018 08:55 AM

@mclane1,

|makeresults | eval Application="App1" | eval TX_P1=1 | eval TX_P2=10 | eval TX_P3=100 | eval TX_P4=1000 
| eval Source="ref" | append [|makeresults | eval Application="App2" | eval TX_P1=2 | eval TX_P2=20 
| eval TX_P3=200| eval TX_P4=2000| eval Source="ref"] | appendpipe [| eval Source="inc" | eval TX_P1=TX_P1-1 
| eval TX_P2=TX_P2-5| eval TX_P3=TX_P3-50| eval TX_P4=TX_P4-500] | sort Application
|streamstats current=f window=1 last(TX_P1) as PREV_P1,last(TX_P2) as PREV_P2,last(TX_P3) as PREV_P3,last(TX_P4) as PREV_P4
|where Source="inc"
|eval X1=100-(TX_P1*100)/PREV_P1,TX_P1=TX_P1."/".PREV_P1."(".X1."%)",
      X2=100-(TX_P2*100)/PREV_P2,TX_P2=TX_P2."/".PREV_P2."(".X2."%)",
      X3=100-(TX_P3*100)/PREV_P3,TX_P3=TX_P3."/".PREV_P3."(".X3."%)",
      X4=100-(TX_P4*100)/PREV_P4,TX_P4=TX_P4."/".PREV_P4."(".X4."%)"
|fields - PREV*,_time,Source,X*
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...