Solved: Can you help me output field name, value from stat...

benthehen100 · ‎09-25-2018

Hello,

I'm trying to get a very specific output format that can be fed into our ticketing system.

I have the following table in Splunk, top line is field names:

sender                             recipient                                 subject
lolwut@domain.com     bob@company.com                                   example1
lolwut@domain.com     alice@company.com                                   example2

This can either be a table or a set of stats values() multivalue fields.

I need the final table to output to a CSV like this:

sender            lolwut@domain.com
sender            lolwut@domain.com
recipient         bob@company.com
recipient          alice@company.com
subject            example1
subject            example2

somesoni2 · ‎09-25-2018

Give this a try

your current search giving fields sender recipient subject
| eval temp=1 
| untable temp fieldName fieldValue
| fields - temp

View solution in original post

somesoni2 · ‎09-25-2018

Give this a try

your current search giving fields sender recipient subject
| eval temp=1 
| untable temp fieldName fieldValue
| fields - temp

benthehen100 · ‎09-26-2018

This worked for me, never heard of the untable command and the doc is a bit weak but this got what I needed. Thank you much!

Can you help me output field name, value from stats table to CSV?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!