Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Pivot/UnPivot Data from json msg

MrJohn230
Path Finder
‎10-19-2023 01:18 PM

Hello, I'm working in splunk enterprise 8.2.4

I have the below search

index=Red msg="*COMPLETED Task*”
| spath output=logMessage path=msg
| rex field=logMessage "Message\|[^\t\{]*(?<json>{[^\t]+})"
| eval PP_elapsedTime=spath(json, “PPInfo.PP.elapsedTime")
| eval CC_elapsedTime=spath(json, “CCInfo.CC.elapsedTime")
| eval System = “Member”
| table System, PP_elapsedTime, CC_elapsedTime

Current output:

System_timePP_elapsed_Time CC_elapsed_Time
Member2023-09-101.524
Member2023-09-1122.6

 

I want the output to read:

System_timeReasonValue
Member2023-09-10PP_elapsed_Time1.52
Member2023-09-10CC_elapsed_Time4
Member2023-09-11PP_elapsed_Time2
Member2023-09-11CC_elapsed_Time2.6

 

I'm not sure where to go from here, any feedback would be appreciated. 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fredclown
Contributor
‎10-19-2023 01:40 PM

This should work.

| makeresults count=1
| eval _raw="System,_time,PP_elapsed_Time,CC_elapsed_Time
Member,2023-09-10,1.52,4
Member,2023-09-11,2,2.6"
| multikv forceheader=1
| fields - _time, _raw, linecount
| rename time as _time
| table System _time PP_elapsed_Time CC_elapsed_Time
```^^^^ Above is just creating example data ^^^^```
| eval SysTime = System + ":" + _time
| fields - System, _time
| untable SysTime Reason Value
| eval System = mvindex(split(SysTime,":"), 0)
| eval _time = mvindex(split(SysTime,":"), 1)
| fields - SysTime

View solution in original post

Reply
Solved! Jump to solution
Solution

fredclown
Contributor
‎10-19-2023 01:40 PM

This should work.

| makeresults count=1
| eval _raw="System,_time,PP_elapsed_Time,CC_elapsed_Time
Member,2023-09-10,1.52,4
Member,2023-09-11,2,2.6"
| multikv forceheader=1
| fields - _time, _raw, linecount
| rename time as _time
| table System _time PP_elapsed_Time CC_elapsed_Time
```^^^^ Above is just creating example data ^^^^```
| eval SysTime = System + ":" + _time
| fields - System, _time
| untable SysTime Reason Value
| eval System = mvindex(split(SysTime,":"), 0)
| eval _time = mvindex(split(SysTime,":"), 1)
| fields - SysTime
Reply
Get Updates on the Splunk Community!

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

More for SLO Management We’re continuing to expand the built-in SLO management experience in Splunk ...

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...