Solved: Pivot/UnPivot Data from json msg

MrJohn230 · ‎10-19-2023

Hello, I'm working in splunk enterprise 8.2.4

I have the below search

index=Red msg="*COMPLETED Task*”
| spath output=logMessage path=msg
| rex field=logMessage "Message\|[^\t\{]*(?<json>{[^\t]+})"
| eval PP_elapsedTime=spath(json, “PPInfo.PP.elapsedTime")
| eval CC_elapsedTime=spath(json, “CCInfo.CC.elapsedTime")
| eval System = “Member”
| table System, PP_elapsedTime, CC_elapsedTime

Current output:

System	_time	PP_elapsed_Time	CC_elapsed_Time
Member	2023-09-10	1.52	4
Member	2023-09-11	2	2.6

I want the output to read:

System	_time	Reason	Value
Member	2023-09-10	PP_elapsed_Time	1.52
Member	2023-09-10	CC_elapsed_Time	4
Member	2023-09-11	PP_elapsed_Time	2
Member	2023-09-11	CC_elapsed_Time	2.6

I'm not sure where to go from here, any feedback would be appreciated.

fredclown · ‎10-19-2023

This should work.

| makeresults count=1
| eval _raw="System,_time,PP_elapsed_Time,CC_elapsed_Time
Member,2023-09-10,1.52,4
Member,2023-09-11,2,2.6"
| multikv forceheader=1
| fields - _time, _raw, linecount
| rename time as _time
| table System _time PP_elapsed_Time CC_elapsed_Time
```^^^^ Above is just creating example data ^^^^```
| eval SysTime = System + ":" + _time
| fields - System, _time
| untable SysTime Reason Value
| eval System = mvindex(split(SysTime,":"), 0)
| eval _time = mvindex(split(SysTime,":"), 1)
| fields - SysTime

View solution in original post

fredclown · ‎10-19-2023

This should work.

| makeresults count=1
| eval _raw="System,_time,PP_elapsed_Time,CC_elapsed_Time
Member,2023-09-10,1.52,4
Member,2023-09-11,2,2.6"
| multikv forceheader=1
| fields - _time, _raw, linecount
| rename time as _time
| table System _time PP_elapsed_Time CC_elapsed_Time
```^^^^ Above is just creating example data ^^^^```
| eval SysTime = System + ":" + _time
| fields - System, _time
| untable SysTime Reason Value
| eval System = mvindex(split(SysTime,":"), 0)
| eval _time = mvindex(split(SysTime,":"), 1)
| fields - SysTime

Pivot/UnPivot Data from json msg

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio