Splunk Search

How to build a table from different fields from a single event

Shaft
Explorer

Hello

I'm having this situation where I have a query returning a single event and I need to build a compound table from different fields from that event.

Here are the fields:

  • severity
  • severity_id
  • riskFactor
  • riskFactor_id
  • exploitAvailable
  • exploitAvailable_id

How can I build a table like this:

IndicatorValueId
Severityseverityseverity_id
Risk FactorriskFactorriskFactor_id
Exploit AvailableexploitAvailableexploitAvailable_id

 

Thanks for your help!

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Here's one way you might do it:

| makeresults
| eval severity="High", severity_id=123, riskFactor="xyz", riskFactor_id=987, exploitAvailable="Y", exploitAvailable_id="ABCXYZ"
| fields - _time
``` the lines above create a dummy event with the fields mentioned ```
| transpose 0 column_name=name
| eval id=if(match(name,".*_id"),'row 1',null())
| eval value=if(match(name,".*_id"),null(),'row 1')
| eval indicator=trim(name,"_id")
| stats values(value) as value values(id) as id by indicator

View solution in original post

Shaft
Explorer

Works great 🙂

Just had to filter out the other unrelated fields from the event.

Thanks a lot!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here's one way you might do it:

| makeresults
| eval severity="High", severity_id=123, riskFactor="xyz", riskFactor_id=987, exploitAvailable="Y", exploitAvailable_id="ABCXYZ"
| fields - _time
``` the lines above create a dummy event with the fields mentioned ```
| transpose 0 column_name=name
| eval id=if(match(name,".*_id"),'row 1',null())
| eval value=if(match(name,".*_id"),null(),'row 1')
| eval indicator=trim(name,"_id")
| stats values(value) as value values(id) as id by indicator
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...