Re: How can i format a table as rows into columns?

rarangarajanspl · ‎04-14-2020

Hello - I am new to Splunk. I would like to check whether it's feasible to format a table. In the screen shot 1, i have a table with 10 columns and 3 records. I want to format it as Screen shot2. i.e. columns should be divided into couple of sets. Each row should be displayed next accordingly.

Basically, i want to compare just by looking at the values.

niketn · ‎04-15-2020

@rarangarajansplunk what is the logic of dividing 10 columns into 2 column sets? Is it based on divide by 2 logic or based on Column name?

Why each of 3 rows became 6 column in your output?

What is the logic of Row 1 column between Column Set 1 and Column Set 2?

Please provide more details and context for the community to assist you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

rarangarajanspl · ‎04-15-2020

Hi Niketnilay
Thanks for reverting back with questions.
We are supposed generate a table by reading/parsing application generated log file (INFO,DEBUG,WARN,ERROR). This log file has incoming request message (input XML) and outgoing response message (output XML). There is a direct mapping between input xml elements and output xml elements.

At this point, I am able to parse these xmls and generate table as per the screen shot 1. i.e. first five coumns (A1, A2, A3, A4 and A5) are input XML elements. Second five columns (B1, B2, B3, B4 and B5) are output XML elements.

Unfortunately, we are finding it difficult to compare the directly mapped elements between input and output. In the real time we have 50+ elements in each input and out xmls.

To compare the input and output elements in a better way, we came up with two different column set (as per Screen shot 2).

Response to your queries
1. Column sets are decided based on input and output xml elements. Based on xml element name it's divided.
2. Please refer #1
3. We want to display name of the XML elements. May be this can be modified. i.e. First two columns are input and output xml elements name. From third column, we can start input xml actual values.

**Input XML Columns Row1 (IP XML)   Output XML Columns  Row1 (OP XML)   Row2 (IP XML)   Row2 (OP XML)   Row3 (IP XML)   Row3 (OP XML)**
IPXML Column1           Test1                    OPXML Column1           Test1                  Test2                   Test2   Test3   Test3
IPXML Column2           Test22                    OPXML Column2  Test22                Test23                  Test23   Test24  Test24
IPXML Column3           Test33                    OPXML Column3  Test33                 Test34                 Test34   Test35  Test35
IPXML Column4           Test44                    OPXML Column4  Test44                 Test45                 Test45   Test46  Test46
IPXML Column5           Test55                   OPXML Column5           Test55                  Test56                Test56   Test57  Test57

to4kawa · ‎04-15-2020

try transpose, foreach with eval, at last, selfjoin

harishalipaka · ‎04-15-2020

HI @rarangarajansplunk

Can u try this way..same content but table view is different

| makeresults | eval _raw=" A1      A2    B1   B2 
  /Test1       /Test22    /Test1       /Test22
  /Test2       /Test23      /Test2       /Test23
  /Test3       /Test24       /Test3       /Test24
 " | multikv |table A1 A2 B1 B2|transpose |transpose header_field=column

Thanks
Harish

harishalipaka · ‎04-15-2020

hi @rarangarajansplunk

try transpose and chart over by command

Thanks
Harish

How can i format a table as rows into columns?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?