Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you parse multiple columns (key/value)?

braicu
New Member
‎03-08-2019 07:36 AM

Hello,

Please help me with this.

I have result of two columns:

Tag-Key                                Tag-Value
Account                                   CIP
ApplicationName                   Infrastructure
AssetDataStored               InternalUseOnly
CostCenter                            Landing Zone
Environment                           LandingZoneStackSet
Name                                      Production
Owner                                     S3 LZ Access Logs

My question is, how do I parse them into individual columns like filter by Key: 

Account                   ApplicationName          CostCenter          
CIP                            Infrastructure                Landing Zone
Sandbox                  Production                     CIP
etc                                                                     etc
Tags (3)
0 Karma
Reply

braicu
New Member
‎03-09-2019 02:58 AM

i tested and is not working good 😞 .,,Not working guys 😞 . I have other fields not only Tag-Key & Tag Value . I need to split that Tag-Key to be the column name , and Value to be the value for the columns ( and i have multiple values not only one) , but the other columns that i have ( region , aws_account_id etc ) to remain unchanged , and transpose is not good solution.

0 Karma
Reply

vnravikumar
Champion
‎03-08-2019 09:54 AM

Hi @braicu

Try this

your query.. | sort Tag_Key,Tag_Value | table Tag_Key,Tag_Value | transpose 0  header_field=Tag_Key |fields - column
0 Karma
Reply

nickhills
Ultra Champion
‎03-08-2019 09:57 AM

Ha! That was exactly my suggestion, but I tried testing it with makeresults and it didn’t work very well.

Maybe it will work with real data!?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

vnravikumar
Champion
‎03-08-2019 10:00 AM

It is working

alt text

0 Karma
Reply

braicu
New Member
‎03-09-2019 02:59 AM

I have tested and is not working 😞 . I have other columns not only those 2 and i need the other columns to remain unchanged. I need only tag-key to be parsed as column name , and tag-name to be the value for the columns.

0 Karma
Reply

Anam
Community Manager
Community Manager
‎03-08-2019 09:22 AM

Hi braicu

Thank you for posting your question on the Splunk Answers community. Are you getting these results from a search? If possible can you include your search in your post so members of the community can help provide further guidance.

Thanks

0 Karma
Reply

nickhills
Ultra Champion
‎03-08-2019 08:04 AM

Edited my post:

I was suggesting transpose, but on testing I'm not sure it will work for you.

Here is the documentation though: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Transpose

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...