Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Summary Index - Eval Issue - Need both combined & segregated data

gopiven
Explorer
‎06-22-2020 11:26 PM

Hi Splunk Experts

I've created a summary index where it contains 6 eval cases, for example:

eval 1=case(match(something,"a",...."b","c"), eval 2 =case (d,e,f)....eval 6=case(x,y,z) 

where a,b,c....x,y,z are the individual detailed functions & 1,2,3,,4,5,6 as overall functions. Now I have combined all eval functions into a single value using eval Total_Function = mvappend(1,2,3,4,5,6).

But I want to list the table with both overall function & individual detailed function as well. But I am not sure how to get individual detail values in the table along with overall function.

Expected table as below:

Time Total_Function      Overallfunction Individual function

XX     T otal_Function          1                               a
YY       Total_Function          1                               b
ZZ       Total_Function          1                               c
AA       Total_Function         6                               x
BB       Total_Function         6                               y
CC      Total_Function          6                               z                     

Kindly help me please.

(Please note, there are multiple individual functions in each eval case)

 

Labels (4)
Labels
0 Karma
Reply

DalJeanis
Legend
‎06-23-2020 11:43 AM

A summary index can contain literally any number of columns.  Just output the record with one column for each item you want to report.  

So, if an event had values for functions a, c r and t, and the Overall function was 1, then it might look like 

 

(time) total_function=23, overall=1, a=12, c=7, r=0, t=15

 

 

or, if I misunderstood your meaning, maybe it might be 

 

(time) total_function=23 overall="1;3" detail="a;c;r;t"

 

or

 

(time) total_function=23 overall="1;3" detail="a=12;c=7;r=0;t=15"

 

 

The next record does not have to have all the same fields.

 

0 Karma
Reply

gopiven
Explorer
‎06-23-2020 06:19 PM

Thanks for the reply. I guess you misunderstood the Question.
I am looking to segregate the individual fields which are already appended through mvappend command.

mvappend(1,2,3,4,5,6)
1,2,3,4,5,6 are the eval function cases with values a,b....x,y,z(these values are calculated based on match criteria)

Hence want to table the data as mentioned in the initial question.

0 Karma
Reply

DalJeanis
Legend
‎06-26-2020 02:33 PM

Okay, look at what happens when you do these commands

 

| makeresults
| eval myfield1=mvappend("a","b","c")
| eval myfield2=mvjoin(myfield1,"!!!!")
| eval myfield3=makemv(myfield2,"!!!!")

 and then this command

| mvexpand myfield3
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...