Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Fill the table with null row where there is No output.

abhishekpatel2
Explorer
‎03-13-2021 05:49 AM

I have get this table as output after my base query:

COL1    |    COL2   |    COL3  ..........................So On

A,a         |      B,b      |     C,c

X,x         |                  |       Y,y

Z,z                                          

==================

Here A,a  and X,x and Z,z are in the same row or same cell

Output:

COL1   |     COL2    |    COL3.........................So On

A,a        |       B,b       |     C,c 

==================

X,x         | Null,Null  |    Y,y

==================

Z,z         | Null,Null  |  Null,Null

 

Can someone please please help me with this.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-13-2021 08:41 AM

Can you describe the output you want?

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

abhishekpatel2
Explorer
‎03-13-2021 09:18 AM

I don't have image for this but I want the perfect rectangular or square table.

I will give you one example: If we consider there is only two columns then currently my output is as shown in

(TA0002) Execution                                                           |     (TA0001) Initial Access

(T1053) Scheduled Task,71.104815                          |    (T1190) Exploit Public-Facing Application,2.91262
(T1059) Command-Line Interface,92.682926       |
(T1106) Execution through API,88.6363636          |
(T1204) User Execution,100                                          |
(T1482) Domain Trust Discovery,88.636363          | 
(T1486) Data Encrypted for Impact,88.6363636 |
 
That is:- This is in single row but i want all this in different rows.
(T1053) Scheduled Task,71.10481586402267
(T1059) Command-Line Interface,92.6829268292683
(T1106) Execution through API,88.63636363636364
(T1204) User Execution,100
(T1482) Domain Trust Discovery,88.63636363636364
(T1486) Data Encrypted for Impact,88.63636363636364
 
Expected Output:-

(TA0002) Execution                                                           |     (TA0001) Initial Access

(T1053) Scheduled Task,71.104815                          |    (T1190) Exploit Public-Facing Application,2.91262
-------------------------------------------------------------------------------------------------------------------------------------
(T1059) Command-Line Interface,92.682926       |    NULL,NULL
------------------------------------------------------------------------------------------------------------------------------------
(T1106) Execution through API,88.6363636          |    NULL,NULL
-----------------------------------------------------------------------------------------------------------------------------------
(T1204) User Execution,100                                          |     NULL,NULL
------------------------------------------------------------------------------------------------------------------------------------
(T1482) Domain Trust Discovery,88.636363          |     NULL,NULL
------------------------------------------------------------------------------------------------------------------------------------
(T1486) Data Encrypted for Impact,88.6363636 |      NULL,NULL
 
 
AND I Have multiple rows here i have taken only two rows.
So please please someone can help me with this?
Thanks for answers!!!
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-13-2021 08:07 AM

Hi @abhishekpatel2,

I am not sure if I understood you problem but please try stats list(abc) like  below;

index=* mitre_tactic != "null"
| eval mitre_tactic=split(mitre_tactic,","),mitre_technique=split(mitre_technique,",")
| stats count by mitre_tactic,mitre_technique,result
| eval new=mvzip(result,count)
| stats sum(count) as Total,values(new) as new by mitre_tactic,mitre_technique
| mvexpand new
| search new="not_blocked*"
| eval count=mvindex(split(new,","),1)
| eval percent=(count/Total)*100
| eval abc=mvzip(mitre_technique,percent)
| stats list(abc) by mitre_tactic
| transpose 0 header_field=mitre_tactic
| fields - column

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

abhishek_patel2
Splunk Employee
Splunk Employee
‎03-15-2021 05:23 AM

I want this form of output:Screenshot (151).png

0 Karma
Reply

abhishekpatel2
Explorer
‎03-13-2021 08:13 AM

No it is not working .It is giving me the same output as I have mentioned in the above image.

Can u help me with some another way??

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...