Splunk Search

How do you parse multiple columns (key/value)?

braicu
New Member

Hello,

Please help me with this.

I have result of two columns:

Tag-Key                                Tag-Value
Account                                   CIP
ApplicationName                   Infrastructure
AssetDataStored               InternalUseOnly
CostCenter                            Landing Zone
Environment                           LandingZoneStackSet
Name                                      Production
Owner                                     S3 LZ Access Logs

My question is, how do I parse them into individual columns like filter by Key:

Account                   ApplicationName          CostCenter          
CIP                            Infrastructure                Landing Zone
Sandbox                  Production                     CIP
etc                                                                     etc 
Tags (3)
0 Karma

braicu
New Member

i tested and is not working good 😞 .,,Not working guys 😞 . I have other fields not only Tag-Key & Tag Value . I need to split that Tag-Key to be the column name , and Value to be the value for the columns ( and i have multiple values not only one) , but the other columns that i have ( region , aws_account_id etc ) to remain unchanged , and transpose is not good solution.

0 Karma

vnravikumar
Champion

Hi @braicu

Try this

your query.. | sort Tag_Key,Tag_Value | table Tag_Key,Tag_Value | transpose 0  header_field=Tag_Key |fields - column
0 Karma

nickhills
Ultra Champion

Ha! That was exactly my suggestion, but I tried testing it with makeresults and it didn’t work very well.

Maybe it will work with real data!?

If my comment helps, please give it a thumbs up!
0 Karma

vnravikumar
Champion

It is working

alt text

0 Karma

braicu
New Member

I have tested and is not working 😞 . I have other columns not only those 2 and i need the other columns to remain unchanged. I need only tag-key to be parsed as column name , and tag-name to be the value for the columns.

0 Karma

Anam
Community Manager
Community Manager

Hi braicu

Thank you for posting your question on the Splunk Answers community. Are you getting these results from a search? If possible can you include your search in your post so members of the community can help provide further guidance.

Thanks

0 Karma

nickhills
Ultra Champion

Edited my post:

I was suggesting transpose, but on testing I'm not sure it will work for you.

Here is the documentation though: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Transpose

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...