Get my single event in Tabular Format

rohithmn3 · ‎03-27-2017

Hi Team,

My single Event looks like below:
FYI...

USER PID %CPU %MEM COMMAND
  daemon 6029500 0.2 0.0 .vasd
  daemon 5963962 0.1 0.0 .vasd
 auwasesp 13107344 0.0 1.0 java
 auwasesp 12714040 0.0 3.0 java
 auwasesp 12648618 0.0 0.0 java
 auwasesp 12517388 0.0 1.0 java
 auwasesp 12452016 0.0 1.0 java
 ausassrv 13434928 0.0 0.0 sas
 ausasadm 18022636 0.0 0.0 splunkd
 ausasadm 16384182 0.0 0.0 splunkd

I want this to be in Stats table, so that i can create dashboard out of it.
space is the delimiter. Pleas help me here..!

knielsen · ‎03-28-2017

Maybe you want to look at multikv as well. So something like

<yoursearch> | multikv | stats values(*) as * by PID

DalJeanis · ‎03-28-2017

minor note - multikv assumes the table to be extracted is in the _raw field.

Here's a run-anywhere demo on the original poster's data...

| makeresults
| eval _raw ="blah garble anyoldstuff
 USER PID %CPU %MEM COMMAND
   daemon 6029500 0.2 0.0 .vasd
   daemon 5963962 0.1 0.0 .vasd
  auwasesp 13107344 0.0 1.0 java
  auwasesp 12714040 0.0 3.0 java
  auwasesp 12648618 0.0 0.0 java
  auwasesp 12517388 0.0 1.0 java
  auwasesp 12452016 0.0 1.0 java
  ausassrv 13434928 0.0 0.0 sas
  ausasadm 18022636 0.0 0.0 splunkd
  ausasadm 16384182 0.0 0.0 splunkd"
| multikv

adonio · ‎03-28-2017

if fields are extracted, then use | table
your search | table USER PID %CPU %MEM COMMAND
if fields are not extracted, click an event -> event actions -> extract fields - > delimiters - > space - > name your fields -> save
now run the search above

Get my single event in Tabular Format

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases