The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkReporting: Merge two fields

Previous Topic: Module's  |   Next Topic: Percentile Graph Issue


Posts 1–9 of 9
1
posted by: anon1m0us  |  posts
date: October 8, 2009
permalink

I have a search:
index=summary Daily |stats sum(Hits) as Hits sum(UniquePages) as "Unique Pages" sum(Number_of_Visitors) as "Number of Visitors" sum(UniqueVisitors) as "Unique Visitors" by date_month date_year |rename date_month as Month date_year as Year

Month Year Hits Uniq Pages # of Visitors UniqVisitors
october 2009 140598 53024 396947 6887
september 2009 628699 216924 2047484 27787

Is there a way to have Month & year together ? Like
Month
October 2009

2
posted by: araitz  |  posts
date: October 8, 2009
permalink 

| strcat Month " " Year MonthYear
3
posted by: anon1m0us  |  posts
date: October 9, 2009
permalink

Worked great. Two questions
1) The month year is not a column at the end. How do I reorder the columns so Month/Year is the first column?

2) How do you rename the _time field? When doing a rename, I get a weird result.

4
posted by: anon1m0us  |  posts
date: October 9, 2009
permalink

To answer my first question, I did the following:

index=summary Daily |stats sum(Hits) as Hits sum(UniquePages) as "Unique Pages" sum(Number_of_Visitors) as "Number of Visitors" sum(UniqueVisitors) as "Unique Visitors" by date_month date_year|rename date_month as Month date_year as Year| strcat Month " " Year Month/Year |fields- Month,Year |fields + Month/Year, Hits, "Unique Pages", "Number of Visitors" , "Unique Visitors"

Is there a shorter /simpler way?

2) I still can not rename the _time to Date.

5
posted by: araitz  |  posts
date: October 9, 2009
permalink 

| eval Date = _time
6
posted by: anon1m0us  |  posts
date: October 9, 2009
permalink

No good. The output is as follows:
_time Hits Unique Pages Number of Visitors Unique Visitors Date

10/1/09 12:00:00.000 AM 21748 8436 65788 1245 1254369600

7
posted by: anon1m0us  |  posts
date: October 9, 2009
permalink

I did the following. Is there a better way to do it?

index=summary Daily |stats sum(Hits) as Hits sum(UniquePages) as "Unique Pages" sum(Number_of_Visitors) as "Number of Visitors" sum(UniqueVisitors) as "Unique Visitors" by _time| eval Date=_time | convert ctime(Date) as Date timeformat="%m/%d/%Y" |fields - _time |fields + Date,Hits,"Unique Pages","Number of Visitors","Unique Visitors"

8
posted by: araitz  |  posts
date: October 9, 2009
permalink

As you discovered, all time fields in Splunk are in epoch time, so yes, you would need to convert it if you wanted to make it human readable. You don't need the eval if you are going to convert:


| convert ctime(_time) as Date timeformat="%m/%d/%Y"
9
posted by: anon1m0us  |  posts
date: October 9, 2009
permalink

Thanks. The _time was annoying me for the longest time. It works great now,

To reorder the columns, the way I did it above(removing fields and readding them), does that seem correct or is there a better way?