| makeresults
| eval _raw="Field1,Field2,Field3,Field4,Field5,Field6,Field7,Field8,Field9
1,0,1,0,0,3,0,0,3
1,0,3,1,0,1,1,0,0
2,0,1,0,1,3,0,0,3
1,0,3,1,0,1,1,0,1
3,0,2,0,0,3,0,0,3
1,0,3,1,0,3,0,0,1
3,1,1,0,0,1,1,0,3
0,0,3,1,1,2,1,0,1"
| multikv forceheader=1
| table Field1,Field2,Field3,Field4,Field5,Field6,Field7,Field8,Field9
`comment("this is your sample")`
`comment("from here , the logic")`
| eval tmp=1
| untable tmp field_name value
| eventstats count(eval(value=0)) as with0 count(eval(value=1)) as with1,
count(eval(value=2)) as with2 count(eval(value=3)) as with3 by field_name
| table field_name with*
`comment("I think above is enough, but as you want, i do")`
| untable field_name with_number value
| rex field=with_number mode=sed "s/with(\d)/with \1/"
| eval value = "value: ".value
Hi, @splunk_exercice
How about this?
... View more