- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create new field combined from existing...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I have such a table in which is described the proces of any TestMachine:
A B C D
TestStart TestStatus TestDuration TestEnd
11.03.2015 14:54:32 PASS 116 11.03.2015 14:56:28
11.03.2015 14:57:10 PASS 116 11.03.2015 14:59:06
11.03.2015 14:59:58 PASS 119 11.03.2015 15:01:57
11.03.2015 15:03:21 FAIL 66 11.03.2015 15:04:27
11.03.2015 15:04:54 PASS 116 11.03.2015 15:06:50
11.03.2015 15:10:29 FAIL 185 11.03.2015 15:13:34
I need to create a table or chart, where the status of the testmachine will be displayed.
x axis: time, where will be combined columns A and D
y axis: such a binari impuls 0 to 1, where the status of the machine will be displayed
legend (status of the machine): RUN, WAIT
RUN status: is between A1 and D1
WAIT status: is between D1 and A2
here is an example, what I need: https://ibb.co/M6bcWnh
the events are sorted from the oldiest event
Can you help me, please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"
To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".
After that I created 3 new fields from the 3 previous multivalue fields
| makemv tokenizer="([^,]+),?" final_time
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final_time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"
To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".
After that I created 3 new fields from the 3 previous multivalue fields
| makemv tokenizer="([^,]+),?" final_time
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final_time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you elaborate a little?
what does it mean: "x axis: time, where will be combined columns A and D"
what kind of combination?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi adonio. Sorry for not such a clear explenation and thank you for your message. I fixed it.
I created 3 multivalue fields:
1. | eval final_time=TestStart .",".TestEnd
2. | eval run="1,0"
3. | eval wait="0,1"
To the combination TestStart and TestEnd belongs multivalue field | eval run="1,0" (on start, run is 1, at the end the run is 0) and also the multivalue field | eval wait="0,1".
After that I created 3 new fields from the 3 previous multivalue fields
| makemv tokenizer="([^,]+),?" final_time
| makemv tokenizer="([^,]+),?" run
| makemv tokenizer="([^,]+),?" wait
| eval new=mvzip(final_time,run)
| eval neww=mvzip(new,wait)
| mvexpand neww
| eval time=substr(neww,1,19)
| eval run=substr(neww,21,1)
| eval wait=substr(neww,23,1)
| table time run wait
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
