Hi All,
So, yesterday we got a strange issue that we want to convert columns to rows.
Step 1 - Lets check this splunk search query -
index=* | stats max(bytes) AS max, min(bytes) AS min BY host
Please note on this image that, for same max/min values, we have 3 hosts.
Step 2 - basic mvcombine
so, we can combine these 3 rows to a single row, like this -
the command is "mvcombine" (multivalue combine) -
index=* host=www* | stats max(bytes) AS max, min(bytes) AS min BY host | mvcombine host
Step 3 - you can use a delimiter
To see the output of the delim argument, you must use the nomv command immediately after the mvcombine command.
index=* host=www* | stats max(bytes) AS max, min(bytes) AS min BY host | mvcombine delim="," host | nomv host
So, yesterday we got a strange issue that we want to convert columns to rows.
Step 1 - Lets check this splunk search query -
index=* | stats max(bytes) AS max, min(bytes) AS min BY host
Please note on this image that, for same max/min values, we have 3 hosts.
Step 2 - basic mvcombine
so, we can combine these 3 rows to a single row, like this -
index=* host=www* | stats max(bytes) AS max, min(bytes) AS min BY host | mvcombine host
Step 3 - you can use a delimiter
To see the output of the delim argument, you must use the nomv command immediately after the mvcombine command.
index=* host=www* | stats max(bytes) AS max, min(bytes) AS min BY host | mvcombine delim="," host | nomv host
No comments:
Post a Comment