I loaded Hadoop events in the Following format into Splunk:
In the next step I would like to create a dashboard which displays those values in a table, something like this:
and so on.
I am stuck because Splunk won't recognize those event lines as searchable fields. Any ideas on how I can generate the table from the sample event?
Thanks in advance!
If you are comfortable change transforms.conf & props.conf, you will need to add a field extraction rule to extract these fields at searchtime. Something like this in your transforms should do it
REGEX = ([^:]+):(.*)
FORMAT = $1::$2
The other option is to achieve this from web ui (this may be easier with similar results). Here's a link on that http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Managefieldtransforms
Third option, is use the extract command in your search, like this
... | extract pairdelim="\n" kvdelim=":"
This would be my last option.