Re: insert values into table by regex

sarit_s · ‎04-28-2019

hello
maybe my title is a little bit confusing.. i was not sure how to explain it in few words 🙂

i have fields, looks like :

RequestedHeadVoltagesSupport=24.9829,25.081,19,19,19,19,19,19
RequestedHeadVoltagesModel=23,23,28.8665,29.0513,27.7611,27.4205,27.6825,29.2477

i need to take parts of the string and set each part under different "head"
my query looks like :

 (index=*_pj OR index=other) source=*HQ.cfg OR source=*HM.cfg OR RequestedHeadVoltagesSupport OR RequestedHeadVoltagesModel 
| `SerialNumber` 
| rex field=source "PerMachine_(?<MachineMode>[^\.]+)" 
| eval MachineMode=if(MachineMode=="HM","HS/HM",MachineMode) 
| rex "RequestedHeadVoltagesSupport=(?<head0>[^,]+),(?<head1>[^,]+)," 
| rex "RequestedHeadVoltagesModel=[^,]+,[^,]+,(?<head2>[^,]+),(?<head3>[^,]+),(?<head4>[^,]+),(?<head5>[^,]+),(?<head6>[^,]+),(?<head7>[^,]+)"
| stats latest(head*) AS head* by source
|table head*

and the results are :

head0 head1 head2 head3 head4 head5 head6 head7
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.3208
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.3208
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.3208
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.3208
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.3208
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.320

for the query i posted the results are reasonable but what i want to achieve is the my table will look like:

Head RequestedHeadVoltagesSupport

RequestedHeadVoltagesModel 0

results of head 0 1

results of head 1 2

results of head 2 3

results of head 3 4

....

sarit_s · ‎04-29-2019

update:
i updated the query so it is look like :

(index=*_pj OR index=other) source=*HQ.cfg OR source=*HM.cfg AND (RequestedHeadVoltagesSupport OR RequestedHeadVoltagesModel )
| `SerialNumber` 
| rex field=source "PerMachine_(?<MachineMode>[^\.]+)" 
| eval MachineMode=if(MachineMode=="HM","HS/HM",MachineMode) 
| rex "RequestedHeadVoltagesSupport=(?<head0>[^,]+),(?<head1>[^,]+)," 
| rex "RequestedHeadVoltagesModel=[^,]+,[^,]+,(?<head2>[^,]+),(?<head3>[^,]+),(?<head4>[^,]+),(?<head5>[^,]+),(?<head6>[^,]+),(?<head7>[^,]+)"

| streamstats latest(_time) as _time latest(head*) AS head* latest(MachineMode) as MachineMode  by SerialNumber
| transpose 0 header_field=head*
  | rename column as SerialNumber
 | untable SerialNumber field value | xyseries field SerialNumber value | rename field as Head
 |eval VALUE_time=strftime(VALUE_time,"%m/%d/%y %H:%M:%S")
 |rename VALUE_time as _time
 | table _time SerialNumber MachineMode Head head*

it is better but the results are still not as expected
i want the "head0" "head1", etc.. to be under "Head" column and the values of "head0", "head1", etc.. to be accordingly

_time SerialNumber MachineMode Head head0 head1 head2 head3 head4 head5 head6 head7
04/28/19 07:46:01 8500065 HQ row 1 24.9829 25.081

04/28/19 07:46:01 8500065 HQ row 2 24.9829 25.081 28.8665 29.0513 27.7611 27.4205 27.6825 29.2477
04/28/19 07:46:01 8500012 HS/HM row 3 23.8241 23.7999

04/28/19 07:46:01 8500012 HS/HM row 4 23.8241 23.7999 27.2088 27.5538 26.3157 26.164 25.9687 28.6314
04/28/19 07:46:01 8500065 HQ row 5 24.9829 25.081 28.8665 29.0513 27.7611 27.4205 27.6825 29.2477
04/28/19 07:46:01 8500065 HQ row 6 24.9829 25.081 28.8665 29.0513 27.7611 27.4205 27.6825 29.2477

Sukisen1981 · ‎04-30-2019

It is completely indecipherable what out you want, can you post a screen grab or an excel grab of what you want?

insert values into table by regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation