Issue with table command

MadhuriVanga — Fri, 25 Oct 2013 09:05:41 GMT

Hi,

My saved search looks like below:

index="efg" "$var$" rex "(abc=.*? )(?<payload>.*)(>)" | eval payload=replace(payload,"</.*?:","</") | eval payload=replace(payload,"<[^/]*?:","<") | xpath outfield=AAA "//details/aaa" field=payload|xpath outfield=BBB "//details/bbb" field=payload|xpath outfield=CCC "//details/ccc" field=payload|table AAA, BBB,CCC

When i run this, the table displays the all the values of AAA in a single row, same is the case with values in BBB. Only for CCC field values i am getting all values in different rows. Why is this happening. Please help me resolve this issue.

Currently i am getting the result as shown below:

AAA BBB CCC
1 2 3 4 5 6 1 2 3 4 5 6 1
2
3
4
5
6

Re: Issue with table command

lguinn2 — Mon, 28 Oct 2013 07:23:34 GMT

First, without knowing anything about your data, it is nearly impossible to say why this is happening.
So, a sample of the data (or even a detailed description) would be quite helpful.

Second, it would also nice to see a sample of the results from this search:

index="efg" "$var$" 
| rex "(abc=.*? )(?<payload>.*)(>)" 
| eval payload=replace(payload,"</.*?:","</") 
| eval payload=replace(payload,"<[^/]*?:","<") 
| table payload

That might give you a clue about the results you are seeing.

topic Re: Issue with table command in Splunk Search

Issue with table command

Re: Issue with table command