Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to build a table from different fields from a single event

Shaft
Explorer
‎01-11-2022 01:47 AM

Hello

I'm having this situation where I have a query returning a single event and I need to build a compound table from different fields from that event.

Here are the fields:

  • severity
  • severity_id
  • riskFactor
  • riskFactor_id
  • exploitAvailable
  • exploitAvailable_id

How can I build a table like this:

IndicatorValueId
Severityseverityseverity_id
Risk FactorriskFactorriskFactor_id
Exploit AvailableexploitAvailableexploitAvailable_id

 

Thanks for your help!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-11-2022 02:26 AM

Here's one way you might do it:

| makeresults
| eval severity="High", severity_id=123, riskFactor="xyz", riskFactor_id=987, exploitAvailable="Y", exploitAvailable_id="ABCXYZ"
| fields - _time
``` the lines above create a dummy event with the fields mentioned ```
| transpose 0 column_name=name
| eval id=if(match(name,".*_id"),'row 1',null())
| eval value=if(match(name,".*_id"),null(),'row 1')
| eval indicator=trim(name,"_id")
| stats values(value) as value values(id) as id by indicator

View solution in original post

Reply
Solved! Jump to solution

Shaft
Explorer
‎01-11-2022 03:20 AM

Works great 🙂

Just had to filter out the other unrelated fields from the event.

Thanks a lot!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-11-2022 02:26 AM

Here's one way you might do it:

| makeresults
| eval severity="High", severity_id=123, riskFactor="xyz", riskFactor_id=987, exploitAvailable="Y", exploitAvailable_id="ABCXYZ"
| fields - _time
``` the lines above create a dummy event with the fields mentioned ```
| transpose 0 column_name=name
| eval id=if(match(name,".*_id"),'row 1',null())
| eval value=if(match(name,".*_id"),null(),'row 1')
| eval indicator=trim(name,"_id")
| stats values(value) as value values(id) as id by indicator
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...