Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you get tabular event with field value pair?

twh1
Communicator
‎09-07-2018 07:59 AM

I have an event in the below format.

INCIDENT_ID          PROBLEM_KEY                                                 CREATE_TIME                              
-------------------- ----------------------------------------------------------- ---------------------------------------- 
102753               ORA 15064                                                   2018-05-24 15:38:50.242000 -04:00       
107689               ORA 29740                                                   2018-05-24 17:04:00.414000 -04:00       
112801               ORA 32701                                                   2018-05-24 20:59:14.420000 -04:00

I need this data as INCIDENT_ID field with values (102753, 107689, 112801), and PROBLEM_KEY, CREATE_TIME fields in same way. I used multikv command, but I am not getting the desired result.

base search | multikv fields INCIDENT_ID PROBLEM_KEY CREATE_TIME | table INCIDENT_ID PROBLEM_KEY CREATE_TIME
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

twh1
Communicator
‎09-10-2018 02:57 AM

I got the desired output by using below command.

base search | multikv | table INCIDENT_ID PROBLEM_KEY CREATE_TIME

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

twh1
Communicator
‎09-10-2018 02:57 AM

I got the desired output by using below command.

base search | multikv | table INCIDENT_ID PROBLEM_KEY CREATE_TIME
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-07-2018 01:29 PM

What's the current output looks like and what should be the expected output?

0 Karma
Reply
Solved! Jump to solution

twh1
Communicator
‎09-10-2018 02:22 AM

@somesoni2 :

I need 3 fileds(INCIDENT_ID, PROBLEM_KEY, CREATE_TIME) should get created at run time. When I use table command to print these fields respective column value should come in that field.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎09-07-2018 09:45 AM

@twh1, if its currently displaying as a single row, then try

your search|eval z=mvzip(mvzip( INCIDENT_ID ,PROBLEM_KEY,"," ),CREATE_TIME,"," )|fields z|mvexpand z|eval s=split(z,",")|eval INCIDENT_ID=mvindex(s,0),PROBLEM_KEY=mvindex(s,1),CREATE_TIME=mvindex(s,2)|fields INCIDENT_ID,PROBLEM_KEY,CREATE_TIME
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

twh1
Communicator
‎09-10-2018 02:20 AM

Hi @renjith.nair
I tried above query but didn't get the desired output.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...