Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a table that will combine search results based on SerialNumber and split them into 3 columns but one row?

kr5345
Engager
‎03-24-2022 05:40 PM

Hey there, pretty new to Splunk searching. I am trying to get a table created that will combine search results based on SerialNumber and split them into 3 columns but one row. 

Currently: 

`main_index` SerialNumber IN (XXX-XXX-XXX)
| search "DUKPT KEY #" OR "type=DUKPT"
| rex "DUKPT (Key|KEY) #(?<slot>[0-9]): \[ Status: (?<Status>[A-Z_]+)"
| rex "KSN:(?<Key>.+)\]"
| eval slot = if(LIKE (ApplicationVersion,"6.%"), slot, slot -1)
| eval Key = if(LIKE (ApplicationVersion,"6.%"), ("Slot #".slot.": KSN: ".ksn),if(Status="KEY_PRESENT","Slot #".slot.": KSN: ".Key,"Slot #".slot.": No Key Loaded"))
| dedup slot SerialNumber
| table SerialNumber Key | sort slot


Result:

kr5345_0-1648168728986.png

Desired Result:

SerialNumber, Slot0, Slot1, Slot2
XXX-XXX-XXX, No Key Loaded, No Key Loaded, No Key Loaded

I've tried Transpose, Transaction (which merged the entries into one row, but I couldn't figure out how to split the entries into their own column/field)

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-24-2022 10:41 PM

Try something like this

`main_index` SerialNumber IN (XXX-XXX-XXX)
| search "DUKPT KEY #" OR "type=DUKPT"
| rex "DUKPT (Key|KEY) #(?<slot>[0-9]): \[ Status: (?<Status>[A-Z_]+)"
| rex "KSN:(?<Key>.+)\]"
| eval slot = if(LIKE (ApplicationVersion,"6.%"), slot, slot -1)
| eval Key = if(LIKE (ApplicationVersion,"6.%"), ("Slot #".slot.": KSN: ".ksn),if(Status="KEY_PRESENT","Slot #".slot.": KSN: ".Key,"Slot #".slot.": No Key Loaded"))
| dedup slot SerialNumber
| xyseries SerialNumber slot Key

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-24-2022 10:41 PM

Try something like this

`main_index` SerialNumber IN (XXX-XXX-XXX)
| search "DUKPT KEY #" OR "type=DUKPT"
| rex "DUKPT (Key|KEY) #(?<slot>[0-9]): \[ Status: (?<Status>[A-Z_]+)"
| rex "KSN:(?<Key>.+)\]"
| eval slot = if(LIKE (ApplicationVersion,"6.%"), slot, slot -1)
| eval Key = if(LIKE (ApplicationVersion,"6.%"), ("Slot #".slot.": KSN: ".ksn),if(Status="KEY_PRESENT","Slot #".slot.": KSN: ".Key,"Slot #".slot.": No Key Loaded"))
| dedup slot SerialNumber
| xyseries SerialNumber slot Key
Reply
Solved! Jump to solution

kr5345
Engager
‎03-25-2022 10:22 AM

Yep! this made it work. I was on the right track but was not getting the xyseries arguments right for some reason. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...