Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert the Row data into 1 column

Real_captain
Explorer
3 weeks ago

Hi 
Can you please let me know how i can display the below 3 rows in a single row :

Real_captain_0-1713359395340.png

 

Query : 
index=events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console (TERM(VVF119P)) ("- ENDED" OR "- STARTED" OR "PURGED --")
| rex field=TEXT "(VVF119P -)(?<Function>[^\-]+)"
| fillnull Function value=" PURGED"
| eval DAT = strftime(relative_time(_time, "+0h"), "%Y/%m/%d")
| rename DAT as Date_of_reception
| table JOBNAME,Date_of_reception ,Function , _time
| sort _time

 

I want to display the result in the below format: 

| JOBNAME | Date_of_reception | STARTED_TIME | ENDED_TIME | PURGED_TIME|
| $VVF119P | 2024/04/17 | 02:12:37 | 02:12:46 | 02:12:50

 

Thanks in advance. 

Labels (1)
Labels
0 Karma
Reply

Real_captain
Explorer
3 weeks ago

This give me the result in the below format. 

Real_captain_0-1713363865573.png

 

 

is it possible to have 1 more field in the table and sort the columns in the below order:

| JOBNAME | Date_of_reception | STARTED_TIME | ENDED_TIME | PURGED_TIME| Diff Between STARTED_TIME and ENDED_TIME | 
| $VVF119P | 2024/04/17 | 02:12:37 | 02:12:46 | 02:12:50 | 00:00:09| 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
3 weeks ago

Try something like this

| eval {Function}_TIME=_time
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME
| eval Diff=ENDED_TIME-STARTED_TIME
| fieldformat STARTED_TIME=strftime(STARTED_TIME,"%H:%M:%S")
| fieldformat ENDED_TIME=strftime(ENDED_TIME,"%H:%M:%S")
| fieldformat PURGED_TIME=strftime(PURGED_TIME,"%H:%M:%S")
| fieldformat Diff=tostring(Diff,"duration")
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
3 weeks ago

Try something like this

index=events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console (TERM(VVF119P)) ("- ENDED" OR "- STARTED" OR "PURGED --")
| rex field=TEXT "(VVF119P -)(?<Function>[^\-]+)"
| fillnull Function value=" PURGED"
| eval DAT = strftime(relative_time(_time, "+0h"), "%Y/%m/%d")
| rename DAT as Date_of_reception
| table JOBNAME,Date_of_reception ,Function , _time
| sort _time
| eval {Function}_TIME=strftime(_time,"%H:%M:%S")
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...