Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Translating an event into a table

Nicholas_Key
Splunk Employee
Splunk Employee
‎08-16-2010 10:08 PM

Hi all, is there a way to translate this event into a table? This is what I get with my search string:

index="vmware" source="vmware_api" "Inventory Report" | head 1 

datacenter=SF
  cluster=Intel-Hosts
    host=10.1.6.34
      vm=perfVMFS
      vm=NicholasVMTest
      vm=Win2003_x86_template
      vm=LisaSplunk4VMware
      vm=Support_vm_debian
      vm=JMW Ubuntu
      vm=vCenter
  cluster=AMD-Hosts
    host=10.1.12.5
      vm=Windows_2k3_64bit
      vm=SUDAENGW2008
      vm=Windows_XP_JPN
      vm=Windows_XP
      vm=Windows_XP_dev
      vm=Windows_2K_i386
      vm=Splunk4VMWare
    host=10.1.12.4
      vm=OpenSuse_10_x86_64
      vm=CentOS_3.9_i386
      vm=OpenSuse_10_i386
      vm=Windows_Vista_64bit
      vm=Solaris10_x86_64
      vm=CentOS_5.3_x84_64
      vm=LiveCD2
      vm=CentOS_3.9_x86_64
      vm=CentOS_5.1_i386
      vm=Ubuntu_8.0.4_x86_64
      vm=Windows_2k8_32bit
      vm=FreeBSD_6.4_x86_64
      vm=LiveCD1
      vm=Windows_2K8_64bit_JPN
      vm=VMware Infrastructure Management Assistant
      vm=CentOS_4.6_x86_64
      vm=CentOS_5.1_x84_64
      vm=CentOS_4.6_i386
      vm=Ubuntu_8.0.4_i386
      vm=Windows_2k3_32bit
      vm=LiveCD3

The table would eventually looks like this:

Datacenter | Cluster | Host | VM

Any thoughts?

Tags (2)
0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-16-2010 10:14 PM

I would recommend you change the output format if you have control. If you are creating the input source that creates these events, I would not expect it to be a huge change. Please see http://answers.splunk.com/questions/4734/structuring-nested-data for recommendation.

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-16-2010 10:15 PM

Your best bet is to write a custom python search command that restructures every event as desired.

View solution in original post

Reply
Solved! Jump to solution

Nicholas_Key
Splunk Employee
Splunk Employee
‎08-18-2010 06:42 PM

I have another thread here about doing join operation
http://answers.splunk.com/questions/5756/not-getting-results-from-join

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-16-2010 10:15 PM

Your best bet is to write a custom python search command that restructures every event as desired.

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-16-2010 10:14 PM

I would recommend you change the output format if you have control. If you are creating the input source that creates these events, I would not expect it to be a huge change. Please see http://answers.splunk.com/questions/4734/structuring-nested-data for recommendation.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-16-2010 10:12 PM

If so, please see: http://answers.splunk.com/questions/4734/structuring-nested-data

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-16-2010 10:10 PM

Is the format of your output under your control? i.e., are you writing the script, and can you modify how exactly it is output?

0 Karma
Reply
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...