Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert a table back to a set of fields and values?

dougdaly
New Member
‎01-08-2015 01:26 PM

Hello -
Suppose I have a table like this:

_time ClientX:raw_value ClientX:score ClientX:state ClientY:raw_value ClientY:score ClientY:state 
18:00        5                3             1              11               2             0

This table came from using the R-app for number crunching, but now I want to use Splunk for different visualizations. For example, I may want to use the search: chart sum(score) over _time by Client

Doug

Tags (3)
0 Karma
Reply

ppablo
Retired
‎01-13-2015 05:17 PM

Hi @dougdaly

Did @aljohnson_splunk's answer below solve your question? If yes, be sure to accept his answer by clicking "Accept" just below his answer. If not, please let him know.

Patrick

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-09-2015 09:58 AM

You're looking for the multikv command ! Literally: Extracts field-values from table-formatted events.

Just pipe to multikv like this ... | multikv | chart sum(score) over _time by Client

Alternatively, specify which fields you'd like to extract as a list of field names after multikv, ... | multikv score Client | chart...

From the docs:

Extracts fields from events with information in a tabular format (e.g. top, netstat, ps, ... etc). A new event will be created for each table row. Field names will be derived from the title row of the table.

An example of the type of data multikv is designed to handle:

Name     Age   Occupation
Josh     42    SoftwareEngineer
Francine 35    CEO
Samantha 22    ProjectManager

The key properties here are:

  1. Each line of text represents a conceptual record.
  2. The columns are aligned.
  3. The first line of text provides the names for the data in the colums multikv can transform this table from one event into three events with the relevant fields. It works more easily with the fixed-alignment though can sometimes handle merely ordered fields.
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...