Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract with PairDelim KeyDelim
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract with PairDelim KeyDelim
I have the following data in csv format:
date,year,quarter,statementType,dataCode,value
2020-03-31,2020,1,balanceSheet,ppeq,1047418000.0
2020-03-31,2020,1,balanceSheet,acctRec,0.0
2020-03-31,2020,1,incomeStatement,ebt,-20269000.0
2020-03-31,2020,1,incomeStatement,consolidatedIncome,-14061000.0
2020-03-31,2020,1,overview,bvps,12.4058406156063
I am trying to parse these so that dataCode values are the field names and Values remain the values.
Using INDEXED_EXTRACTIONS =csv in my props.conf results in ppeq, acctRec being dataCode values and the same for their actual values.
I have tried using | extract pairdelim="," kvdelim="," which associates correctly but also adds the date ex.
acctRec : 0.0 2020-03-31
I also looked at adding a transforms to parse out the fields using this \d+,\d+,\w+,\w+,(\w+)\,(\S+) but it does not appear that fields can be dynamically assigned and would all have to be specified. Any advice is greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Check this
...yourquery..| table date,year,quarter,statementType,dataCode,value
| eval {dataCode}=value
| fillnull value=0.0
| fields - dataCode,value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks and that works but adds a lot of zero values making it difficult to chart. If I treat each line like a separate event I should be able to pull out each dataCode and Value and only show events where the data is present if that makes sense.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found an alternative solution by extracting at index time:
Transforms.conf
[csv_pair]
REGEX = -\d+\,\d+\,\d+\,\w+\,(\w+)\,(\S+)
FORMAT = $1::$2
REPEAT_MATCH = true
WRITE_META = true
props.conf
[csv]
TRANSFORMS-csv = csv_pair
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I assume you want the result to look somewhat like this:
date, year, quarter, statementType,ppeq,acctRec,ebt,consolidatedIncome,bvps
2020-03-31,2020,1,balanceSheet,1047418000.0, 0.0, 0.0, 0.0, 0.0
2020-03-31,2020,1,IncomeStatement, 0.0, 0.0, -20269000.0, -14061000.0, 0.0
...
The trick is to use an eval to create the "new" fields:
| eval ppeq=if(dataCode="ppeq",value,0.0), acctRec=if(dataCode="acctRec",value,0.0), ebt=if(dataCode="ebt",value,0.0) ...
Hope it helps
Oliver
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Oliver,
That definitely works on a small scale, is there any way to have splunk dynamically create the fields at index or search time? I have over 100 fields with new ones potentially coming in every day.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series: Splunk Observability Metrics Cost Optimization
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
Deep insights, no barriers: Splunk Observability Cloud Free Edition
