Splunk Dev
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Pivot/UnPivot Data from json msg

MrJohn230
Path Finder
‎10-19-2023 01:18 PM

Hello, I'm working in splunk enterprise 8.2.4

I have the below search

index=Red msg="*COMPLETED Task*”
| spath output=logMessage path=msg
| rex field=logMessage "Message\|[^\t\{]*(?<json>{[^\t]+})"
| eval PP_elapsedTime=spath(json, “PPInfo.PP.elapsedTime")
| eval CC_elapsedTime=spath(json, “CCInfo.CC.elapsedTime")
| eval System = “Member”
| table System, PP_elapsedTime, CC_elapsedTime

Current output:

System_timePP_elapsed_Time CC_elapsed_Time
Member2023-09-101.524
Member2023-09-1122.6

 

I want the output to read:

System_timeReasonValue
Member2023-09-10PP_elapsed_Time1.52
Member2023-09-10CC_elapsed_Time4
Member2023-09-11PP_elapsed_Time2
Member2023-09-11CC_elapsed_Time2.6

 

I'm not sure where to go from here, any feedback would be appreciated. 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fredclown
Builder
‎10-19-2023 01:40 PM

This should work.

| makeresults count=1
| eval _raw="System,_time,PP_elapsed_Time,CC_elapsed_Time
Member,2023-09-10,1.52,4
Member,2023-09-11,2,2.6"
| multikv forceheader=1
| fields - _time, _raw, linecount
| rename time as _time
| table System _time PP_elapsed_Time CC_elapsed_Time
```^^^^ Above is just creating example data ^^^^```
| eval SysTime = System + ":" + _time
| fields - System, _time
| untable SysTime Reason Value
| eval System = mvindex(split(SysTime,":"), 0)
| eval _time = mvindex(split(SysTime,":"), 1)
| fields - SysTime

View solution in original post

Reply
Solved! Jump to solution
Solution

fredclown
Builder
‎10-19-2023 01:40 PM

This should work.

| makeresults count=1
| eval _raw="System,_time,PP_elapsed_Time,CC_elapsed_Time
Member,2023-09-10,1.52,4
Member,2023-09-11,2,2.6"
| multikv forceheader=1
| fields - _time, _raw, linecount
| rename time as _time
| table System _time PP_elapsed_Time CC_elapsed_Time
```^^^^ Above is just creating example data ^^^^```
| eval SysTime = System + ":" + _time
| fields - System, _time
| untable SysTime Reason Value
| eval System = mvindex(split(SysTime,":"), 0)
| eval _time = mvindex(split(SysTime,":"), 1)
| fields - SysTime
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top