Solved: Re: How to build a table from different fields fro...

Shaft · ‎01-11-2022

Hello

I'm having this situation where I have a query returning a single event and I need to build a compound table from different fields from that event.

Here are the fields:

severity
severity_id
riskFactor
riskFactor_id
exploitAvailable
exploitAvailable_id

How can I build a table like this:

Indicator	Value	Id
Severity	severity	severity_id
Risk Factor	riskFactor	riskFactor_id
Exploit Available	exploitAvailable	exploitAvailable_id

Thanks for your help!

ITWhisperer · ‎01-11-2022

Here's one way you might do it:

| makeresults
| eval severity="High", severity_id=123, riskFactor="xyz", riskFactor_id=987, exploitAvailable="Y", exploitAvailable_id="ABCXYZ"
| fields - _time
``` the lines above create a dummy event with the fields mentioned ```
| transpose 0 column_name=name
| eval id=if(match(name,".*_id"),'row 1',null())
| eval value=if(match(name,".*_id"),null(),'row 1')
| eval indicator=trim(name,"_id")
| stats values(value) as value values(id) as id by indicator

View solution in original post

Shaft · ‎01-11-2022

Works great 🙂

Just had to filter out the other unrelated fields from the event.

Thanks a lot!

ITWhisperer · ‎01-11-2022

Here's one way you might do it:

| makeresults
| eval severity="High", severity_id=123, riskFactor="xyz", riskFactor_id=987, exploitAvailable="Y", exploitAvailable_id="ABCXYZ"
| fields - _time
``` the lines above create a dummy event with the fields mentioned ```
| transpose 0 column_name=name
| eval id=if(match(name,".*_id"),'row 1',null())
| eval value=if(match(name,".*_id"),null(),'row 1')
| eval indicator=trim(name,"_id")
| stats values(value) as value values(id) as id by indicator

How to build a table from different fields from a single event

fields

table

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!