Dashboards & Visualizations

Need help creating a table from column type logs

Mrig342
Contributor

Hi All,

I am trying to create a table out of the log below:

log:

ServerA ServerB ServerC
ADFILES41-6.2-4 not_available ADFILES41-6.2-4.2
ADM41-5.10.1-4 ADM41-5.10.1-4 ADM41-5.10.1-4
ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4
ADM42-5.11-4 ADM42-5.11-4 ADM42-5.11-4
ADM42HF-5.11HF03-4 ADM42HF-5.11HF03-4 not_available
TRA42-5.11-4 TRA42-5.11-4 not_available
not_available ADFILES42-6.2-4 not_available
not_available not_available TRA42-5.13-4

Here you can see that the 1st line gives the server names. 2nd, 3rd,4th and so on lines are applications available in the server.

For eg. From 2nd line you can see that the application ADFILES41-6.2-4 is available in A&C but not in B. Similarly from 9th line you can see that the application TRA42-5.13-4 is available in C but not in A&B.

So the requirement is to create a table in the below way to show if any servers is missing any application.

ServerServerAServerBServerC
ApplicationADFILES41-6.2-4not_availableADFILES41-6.2-4
ApplicationADM41-5.10.1-4ADM41-5.10.1-4ADM41-5.10.1-4
ApplicationADM41HF-5.10.1HF004-4ADM41HF-5.10.1HF004-4ADM41HF-5.10.1HF004-4
ApplicationADM42-5.11-4ADM42-5.11-4ADM42-5.11-4
ApplicationADM42HF-5.11HF03-4ADM42HF-5.11HF03-4not_available
ApplicationTRA42-5.11-4TRA42-5.11-4not_available
Applicationnot_availableADFILES42-6.2-4not_available
Applicationnot_availablenot_availableTRA42-5.13-4

 

Please help me to create a query to get the table in the desired manner.

Any help on the problem would be highly appreciated.

Thank you All..!!

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Check out the multikv command.  It helps to ingest table-formatted data like that.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Mrig342
Contributor

Thank you @richgalloway for your insights.

I checked for the spaces between the values and they were equally spaced. Still couldn't get the expected result.

Then I replaced the normal spaces between the values with tab spaces in the logs. And that gave me the result in the expected manner.

richgalloway
SplunkTrust
SplunkTrust

Check out the multikv command.  It helps to ingest table-formatted data like that.

---
If this reply helps you, Karma would be appreciated.

Mrig342
Contributor

Thank you @richgalloway ...!!

The command multikv helped me break the events per line-wise. However when I used table command to create a table for dashboard it is not what I desired. 

I used this query "**** | multikv forceheader=1 | table ServerA,ServerB,ServerC" and this gave the table as:

ServerServerAServerBServerC
ApplicationADFILES41-6.2-4 not_available ADFILES41-6.2-4
ApplicationADM41-5.10.1-4 ADM41-5.10.1-4 ADM41-5.10.1-4
ApplicationADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4
ApplicationADM42-5.11-4 ADM42-5.11-4 ADM42-5.11-4
ApplicationADM42HF-5.11HF03-4 ADM42HF-5.11HF03-4 not_available
ApplicationTRA42-5.11-4 TRA42-5.11-4 not_available
Applicationnot_availableADFILES42-6.2-4not_available
Applicationnot_availablenot_availableTRA42-5.13-4

I am not able to understand what went wrong here in the query, as the logs are equally spaced and are in a tabular format.

Please help me identify what might have gone wrong or help me modify the query to get the desired output.

Any help on this is highly appreciated.

Thank You All..!!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Double-check the spacing of the columns.  The multikv command is thrown off by uneven columns.

This worked for me:

| makeresults 
| eval _raw="ServerA              ServerB                ServerC
ADFILES41-6.2-4       not_available         ADFILES41-6.2-4.2
ADM41-5.10.1-4        ADM41-5.10.1-4        ADM41-5.10.1-4
ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4
ADM42-5.11-4          ADM42-5.11-4          ADM42-5.11-4
ADM42HF-5.11HF03-4    ADM42HF-5.11HF03-4    not_available
TRA42-5.11-4          TRA42-5.11-4          not_available
not_available         ADFILES42-6.2-4       not_available
not_available         not_available         TRA42-5.13-4"
| multikv forceheader=1
| table ServerA ServerB ServerC

richgalloway_0-1656794193759.png

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...