- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MrJohn230
Path Finder
10-19-2023
01:18 PM
Hello, I'm working in splunk enterprise 8.2.4
I have the below search
index=Red msg="*COMPLETED Task*”
| spath output=logMessage path=msg
| rex field=logMessage "Message\|[^\t\{]*(?<json>{[^\t]+})"
| eval PP_elapsedTime=spath(json, “PPInfo.PP.elapsedTime")
| eval CC_elapsedTime=spath(json, “CCInfo.CC.elapsedTime")
| eval System = “Member”
| table System, PP_elapsedTime, CC_elapsedTimeCurrent output:
| System | _time | PP_elapsed_Time | CC_elapsed_Time |
| Member | 2023-09-10 | 1.52 | 4 |
| Member | 2023-09-11 | 2 | 2.6 |
I want the output to read:
| System | _time | Reason | Value |
| Member | 2023-09-10 | PP_elapsed_Time | 1.52 |
| Member | 2023-09-10 | CC_elapsed_Time | 4 |
| Member | 2023-09-11 | PP_elapsed_Time | 2 |
| Member | 2023-09-11 | CC_elapsed_Time | 2.6 |
I'm not sure where to go from here, any feedback would be appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fredclown
Builder
10-19-2023
01:40 PM
This should work.
| makeresults count=1
| eval _raw="System,_time,PP_elapsed_Time,CC_elapsed_Time
Member,2023-09-10,1.52,4
Member,2023-09-11,2,2.6"
| multikv forceheader=1
| fields - _time, _raw, linecount
| rename time as _time
| table System _time PP_elapsed_Time CC_elapsed_Time
```^^^^ Above is just creating example data ^^^^```
| eval SysTime = System + ":" + _time
| fields - System, _time
| untable SysTime Reason Value
| eval System = mvindex(split(SysTime,":"), 0)
| eval _time = mvindex(split(SysTime,":"), 1)
| fields - SysTime- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fredclown
Builder
10-19-2023
01:40 PM
This should work.
| makeresults count=1
| eval _raw="System,_time,PP_elapsed_Time,CC_elapsed_Time
Member,2023-09-10,1.52,4
Member,2023-09-11,2,2.6"
| multikv forceheader=1
| fields - _time, _raw, linecount
| rename time as _time
| table System _time PP_elapsed_Time CC_elapsed_Time
```^^^^ Above is just creating example data ^^^^```
| eval SysTime = System + ":" + _time
| fields - System, _time
| untable SysTime Reason Value
| eval System = mvindex(split(SysTime,":"), 0)
| eval _time = mvindex(split(SysTime,":"), 1)
| fields - SysTime
