Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract with PairDelim KeyDelim

aliquori
New Member
‎05-14-2020 03:53 PM

I have the following data in csv format:

date,year,quarter,statementType,dataCode,value
2020-03-31,2020,1,balanceSheet,ppeq,1047418000.0
2020-03-31,2020,1,balanceSheet,acctRec,0.0
2020-03-31,2020,1,incomeStatement,ebt,-20269000.0
2020-03-31,2020,1,incomeStatement,consolidatedIncome,-14061000.0
2020-03-31,2020,1,overview,bvps,12.4058406156063

I am trying to parse these so that dataCode values are the field names and Values remain the values.

Using INDEXED_EXTRACTIONS =csv in my props.conf results in ppeq, acctRec being dataCode values and the same for their actual values.

I have tried using | extract pairdelim="," kvdelim="," which associates correctly but also adds the date ex.
acctRec : 0.0 2020-03-31

I also looked at adding a transforms to parse out the fields using this \d+,\d+,\w+,\w+,(\w+)\,(\S+) but it does not appear that fields can be dynamically assigned and would all have to be specified. Any advice is greatly appreciated.

0 Karma
Reply

vnravikumar
Champion
‎05-15-2020 02:56 AM

Hi

Check this

...yourquery..| table date,year,quarter,statementType,dataCode,value 
| eval {dataCode}=value 
| fillnull value=0.0 
| fields - dataCode,value
0 Karma
Reply

aliquori
New Member
‎05-15-2020 06:02 AM

Thanks and that works but adds a lot of zero values making it difficult to chart. If I treat each line like a separate event I should be able to pull out each dataCode and Value and only show events where the data is present if that makes sense.

0 Karma
Reply

aliquori
New Member
‎05-17-2020 10:28 AM

I found an alternative solution by extracting at index time:

Transforms.conf
[csv_pair]
REGEX = -\d+\,\d+\,\d+\,\w+\,(\w+)\,(\S+)
FORMAT = $1::$2
REPEAT_MATCH = true
WRITE_META = true

props.conf
[csv]
TRANSFORMS-csv = csv_pair

0 Karma
Reply

ololdach
Builder
‎05-15-2020 02:22 AM

Hi,
I assume you want the result to look somewhat like this:
date, year, quarter, statementType,ppeq,acctRec,ebt,consolidatedIncome,bvps
2020-03-31,2020,1,balanceSheet,1047418000.0, 0.0, 0.0, 0.0, 0.0
2020-03-31,2020,1,IncomeStatement, 0.0, 0.0, -20269000.0, -14061000.0, 0.0
...

The trick is to use an eval to create the "new" fields:
| eval ppeq=if(dataCode="ppeq",value,0.0), acctRec=if(dataCode="acctRec",value,0.0), ebt=if(dataCode="ebt",value,0.0) ...

Hope it helps
Oliver

0 Karma
Reply

aliquori
New Member
‎05-15-2020 05:50 AM

Thanks Oliver,

That definitely works on a small scale, is there any way to have splunk dynamically create the fields at index or search time? I have over 100 fields with new ones potentially coming in every day.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...