Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I convert the following data into a pivot table?

tamakg
Path Finder
‎08-24-2018 02:19 PM

With the following search

index=msperf sourcetype="perfmon_processor_xml" 
| xpath outfield=Architecture "//COMMAND/RESULTS/CIM/INSTANCE/PROPERTY" 
| mvexpand Architecture 
| rex field=Architecture "^[^=\n]*=\"(?P[^\"]+)[^=\n]*=\"(?P[^\"]+)[^<\n]*<\w+>(?P[^<]+)"
| table PropertyName  PropertyValue
| where PropertyName in ( "Description", "DeviceID", "Name", "NumberOfCores", "NumberOfLogicalProcessors") 
| dedup PropertyValue 
| sort PropertyName PropertyValue

I've got the following result:

PropertyName     PropertyValue
Description          Intel64 Family 6 Model 45 Stepping 7
DeviceID             CPU0
DeviceID             CPU1
Name                 Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz
NumberOfCores    6

and I would like to convert to the following format:

DeviceID    Description             Name                        NumberOfCores
CPU0        Intel64 Family 6 Model 45 Stepping 7    Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz    6
CPU1        Intel64 Family 6 Model 45 Stepping 7    Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz    6

Help please?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-26-2018 07:45 AM

@tamakg

Have you tried transpose command.

https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Transpose

Can you please try following search?

index=msperf sourcetype="perfmon_processor_xml" 
 | xpath outfield=Architecture "//COMMAND/RESULTS/CIM/INSTANCE/PROPERTY" 
 | mvexpand Architecture 
 | rex field=Architecture "^[^=\n]*=\"(?P[^\"]+)[^=\n]*=\"(?P[^\"]+)[^<\n]*<\w+>(?P[^<]+)"
 | table PropertyName  PropertyValue
 | where PropertyName in ( "Description", "DeviceID", "Name", "NumberOfCores", "NumberOfLogicalProcessors") 
 | dedup PropertyValue 
 | sort PropertyName PropertyValue
| transpose header_field=PropertyName column_name=PropertyValue 
| mvexpand DeviceID | fields - PropertyValue

My Sample Search:

| makeresults 
| eval PropertyName = "Description,DeviceID,DeviceID,Name,NumberOfCores,NumberOfLogicalProcessors", PropertyName=split(PropertyName,","),
    PropertyValue = "Intel64 Family 6 Model 45 Stepping 7,CPU0,CPU1,Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz,6,12",PropertyValue=split(PropertyValue,","), temp=mvzip(PropertyName,PropertyValue) 
| stats count by _time,temp 
| eval PropertyName=mvindex(split(temp,","),0),PropertyValue=mvindex(split(temp,","),1) 
| stats values(PropertyValue) as PropertyValue by PropertyName 
| transpose header_field=PropertyName column_name=PropertyValue 
| mvexpand DeviceID | fields - PropertyValue

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-26-2018 07:45 AM

@tamakg

Have you tried transpose command.

https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Transpose

Can you please try following search?

index=msperf sourcetype="perfmon_processor_xml" 
 | xpath outfield=Architecture "//COMMAND/RESULTS/CIM/INSTANCE/PROPERTY" 
 | mvexpand Architecture 
 | rex field=Architecture "^[^=\n]*=\"(?P[^\"]+)[^=\n]*=\"(?P[^\"]+)[^<\n]*<\w+>(?P[^<]+)"
 | table PropertyName  PropertyValue
 | where PropertyName in ( "Description", "DeviceID", "Name", "NumberOfCores", "NumberOfLogicalProcessors") 
 | dedup PropertyValue 
 | sort PropertyName PropertyValue
| transpose header_field=PropertyName column_name=PropertyValue 
| mvexpand DeviceID | fields - PropertyValue

My Sample Search:

| makeresults 
| eval PropertyName = "Description,DeviceID,DeviceID,Name,NumberOfCores,NumberOfLogicalProcessors", PropertyName=split(PropertyName,","),
    PropertyValue = "Intel64 Family 6 Model 45 Stepping 7,CPU0,CPU1,Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz,6,12",PropertyValue=split(PropertyValue,","), temp=mvzip(PropertyName,PropertyValue) 
| stats count by _time,temp 
| eval PropertyName=mvindex(split(temp,","),0),PropertyValue=mvindex(split(temp,","),1) 
| stats values(PropertyValue) as PropertyValue by PropertyName 
| transpose header_field=PropertyName column_name=PropertyValue 
| mvexpand DeviceID | fields - PropertyValue

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...