Solved: Re: Translating an event into a table

Nicholas_Key · ‎08-16-2010

Hi all, is there a way to translate this event into a table? This is what I get with my search string:

index="vmware" source="vmware_api" "Inventory Report" | head 1 

datacenter=SF
  cluster=Intel-Hosts
    host=10.1.6.34
      vm=perfVMFS
      vm=NicholasVMTest
      vm=Win2003_x86_template
      vm=LisaSplunk4VMware
      vm=Support_vm_debian
      vm=JMW Ubuntu
      vm=vCenter
  cluster=AMD-Hosts
    host=10.1.12.5
      vm=Windows_2k3_64bit
      vm=SUDAENGW2008
      vm=Windows_XP_JPN
      vm=Windows_XP
      vm=Windows_XP_dev
      vm=Windows_2K_i386
      vm=Splunk4VMWare
    host=10.1.12.4
      vm=OpenSuse_10_x86_64
      vm=CentOS_3.9_i386
      vm=OpenSuse_10_i386
      vm=Windows_Vista_64bit
      vm=Solaris10_x86_64
      vm=CentOS_5.3_x84_64
      vm=LiveCD2
      vm=CentOS_3.9_x86_64
      vm=CentOS_5.1_i386
      vm=Ubuntu_8.0.4_x86_64
      vm=Windows_2k8_32bit
      vm=FreeBSD_6.4_x86_64
      vm=LiveCD1
      vm=Windows_2K8_64bit_JPN
      vm=VMware Infrastructure Management Assistant
      vm=CentOS_4.6_x86_64
      vm=CentOS_5.1_x84_64
      vm=CentOS_4.6_i386
      vm=Ubuntu_8.0.4_i386
      vm=Windows_2k3_32bit
      vm=LiveCD3

The table would eventually looks like this:

Datacenter | Cluster | Host | VM

Any thoughts?

gkanapathy · ‎08-16-2010

I would recommend you change the output format if you have control. If you are creating the input source that creates these events, I would not expect it to be a huge change. Please see http://answers.splunk.com/questions/4734/structuring-nested-data for recommendation.

View solution in original post

Stephen_Sorkin · ‎08-16-2010

Your best bet is to write a custom python search command that restructures every event as desired.

View solution in original post

Nicholas_Key · ‎08-18-2010

I have another thread here about doing join operation
http://answers.splunk.com/questions/5756/not-getting-results-from-join

Stephen_Sorkin · ‎08-16-2010

Your best bet is to write a custom python search command that restructures every event as desired.

gkanapathy · ‎08-16-2010

I would recommend you change the output format if you have control. If you are creating the input source that creates these events, I would not expect it to be a huge change. Please see http://answers.splunk.com/questions/4734/structuring-nested-data for recommendation.

gkanapathy · ‎08-16-2010

If so, please see: http://answers.splunk.com/questions/4734/structuring-nested-data

gkanapathy · ‎08-16-2010

Is the format of your output under your control? i.e., are you writing the script, and can you modify how exactly it is output?

Translating an event into a table

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Translating an event into a table

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey