Archive
Highlighted

How to convert a table back to a set of fields and values?

New Member

Hello -
Suppose I have a table like this:

_time ClientX:raw_value ClientX:score ClientX:state ClientY:raw_value ClientY:score ClientY:state 
18:00        5                3             1              11               2             0

This table came from using the R-app for number crunching, but now I want to use Splunk for different visualizations. For example, I may want to use the search: chart sum(score) over _time by Client

Doug

Tags (3)
0 Karma
Highlighted

Re: How to convert a table back to a set of fields and values?

Splunk Employee
Splunk Employee

You're looking for the multikv command ! Literally: Extracts field-values from table-formatted events.

Just pipe to multikv like this ... | multikv | chart sum(score) over _time by Client

Alternatively, specify which fields you'd like to extract as a list of field names after multikv, ... | multikv score Client | chart...

From the docs:

Extracts fields from events with information in a tabular format (e.g. top, netstat, ps, ... etc). A new event will be created for each table row. Field names will be derived from the title row of the table.

An example of the type of data multikv is designed to handle:

Name     Age   Occupation
Josh     42    SoftwareEngineer
Francine 35    CEO
Samantha 22    ProjectManager

The key properties here are:

  1. Each line of text represents a conceptual record.
  2. The columns are aligned.
  3. The first line of text provides the names for the data in the colums multikv can transform this table from one event into three events with the relevant fields. It works more easily with the fixed-alignment though can sometimes handle merely ordered fields.
0 Karma
Highlighted

Re: How to convert a table back to a set of fields and values?

Community Manager
Community Manager

Hi @dougdaly

Did @aljohnson_splunk's answer below solve your question? If yes, be sure to accept his answer by clicking "Accept" just below his answer. If not, please let him know.

Patrick

0 Karma