Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- insert values into table by regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
insert values into table by regex
hello
maybe my title is a little bit confusing.. i was not sure how to explain it in few words 🙂
i have fields, looks like :
RequestedHeadVoltagesSupport=24.9829,25.081,19,19,19,19,19,19
RequestedHeadVoltagesModel=23,23,28.8665,29.0513,27.7611,27.4205,27.6825,29.2477
i need to take parts of the string and set each part under different "head"
my query looks like :
(index=*_pj OR index=other) source=*HQ.cfg OR source=*HM.cfg OR RequestedHeadVoltagesSupport OR RequestedHeadVoltagesModel
| `SerialNumber`
| rex field=source "PerMachine_(?<MachineMode>[^\.]+)"
| eval MachineMode=if(MachineMode=="HM","HS/HM",MachineMode)
| rex "RequestedHeadVoltagesSupport=(?<head0>[^,]+),(?<head1>[^,]+),"
| rex "RequestedHeadVoltagesModel=[^,]+,[^,]+,(?<head2>[^,]+),(?<head3>[^,]+),(?<head4>[^,]+),(?<head5>[^,]+),(?<head6>[^,]+),(?<head7>[^,]+)"
| stats latest(head*) AS head* by source
|table head*
and the results are :
head0 head1 head2 head3 head4 head5 head6 head7
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.3208
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.3208
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.3208
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.3208
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.3208
24.8697 24.4445 28.3751 26.8037 28.4493 27.0375 29.55 28.320
for the query i posted the results are reasonable but what i want to achieve is the my table will look like:
Head RequestedHeadVoltagesSupport
RequestedHeadVoltagesModel 0
results of head 0 1
results of head 1 2
results of head 2 3
results of head 3 4
....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
update:
i updated the query so it is look like :
(index=*_pj OR index=other) source=*HQ.cfg OR source=*HM.cfg AND (RequestedHeadVoltagesSupport OR RequestedHeadVoltagesModel )
| `SerialNumber`
| rex field=source "PerMachine_(?<MachineMode>[^\.]+)"
| eval MachineMode=if(MachineMode=="HM","HS/HM",MachineMode)
| rex "RequestedHeadVoltagesSupport=(?<head0>[^,]+),(?<head1>[^,]+),"
| rex "RequestedHeadVoltagesModel=[^,]+,[^,]+,(?<head2>[^,]+),(?<head3>[^,]+),(?<head4>[^,]+),(?<head5>[^,]+),(?<head6>[^,]+),(?<head7>[^,]+)"
| streamstats latest(_time) as _time latest(head*) AS head* latest(MachineMode) as MachineMode by SerialNumber
| transpose 0 header_field=head*
| rename column as SerialNumber
| untable SerialNumber field value | xyseries field SerialNumber value | rename field as Head
|eval VALUE_time=strftime(VALUE_time,"%m/%d/%y %H:%M:%S")
|rename VALUE_time as _time
| table _time SerialNumber MachineMode Head head*
it is better but the results are still not as expected
i want the "head0" "head1", etc.. to be under "Head" column and the values of "head0", "head1", etc.. to be accordingly
_time SerialNumber MachineMode Head head0 head1 head2 head3 head4 head5 head6 head7
04/28/19 07:46:01 8500065 HQ row 1 24.9829 25.081
04/28/19 07:46:01 8500065 HQ row 2 24.9829 25.081 28.8665 29.0513 27.7611 27.4205 27.6825 29.2477
04/28/19 07:46:01 8500012 HS/HM row 3 23.8241 23.7999
04/28/19 07:46:01 8500012 HS/HM row 4 23.8241 23.7999 27.2088 27.5538 26.3157 26.164 25.9687 28.6314
04/28/19 07:46:01 8500065 HQ row 5 24.9829 25.081 28.8665 29.0513 27.7611 27.4205 27.6825 29.2477
04/28/19 07:46:01 8500065 HQ row 6 24.9829 25.081 28.8665 29.0513 27.7611 27.4205 27.6825 29.2477
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is completely indecipherable what out you want, can you post a screen grab or an excel grab of what you want?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
