Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to display multi event rows in a table from a ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to display multi event rows in a table from a single event?
chrisboy68
Contributor
04-19-2019
01:28 PM
Hi,
I have data in One event listed as TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3. I want to have them show up on separate rows in a table as:
TestName 1 TestValue 1
TestName 2 TestValue 2
TestName3 TestValue 3
Tried several examples but nothing worked. Any idea?
Thank you,
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chrisboy68
Contributor
04-25-2019
12:55 PM
Ok I figured this out based on the tips. "TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" where the actual field names and not the data. Below are the real fields and I had to make up one large field, added delimiters and Regex to slice.
| eval myCritical =(
"Critical1:" + "MetricName:" + Crit1MetricName + "Name:" +Crit1Name + "Operator:" + Crit1Operator + "Value:" + Crit1Value + "," +
"Critical2:" + "MetricName:" + Crit2MetricName + "Name:" +Crit2Name + "Operator:" + Crit2Operator + "Value:" + Crit2Value + "," +
"Critical3:" + "MetricName:" + Crit3MetricName + "Name:" +Crit3Name + "Operator:" + Crit3Operator + "Value:" + Crit3Value + "," +
"Critical4:" + "MetricName:" + Crit4MetricName + "Name:" +Crit4Name + "Operator:" + Crit4Operator + "Value:" + Crit4Value + "," +
"Critical4:" + "MetricName:" + Crit5MetricName + "Name:" +Crit5Name + "Operator:" + Crit5Operator + "Value:" + Crit5Value + ","
) | rex max_match=0 field=myCritical "(?<Critical>[^,\n]+)"
| table Critical
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-21-2019
07:54 AM
Like this:
| makeresults
| eval _raw="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3"
| rex max_match=0 "(?<key>[^,\s]+),\s*(?<value>[^,\s]+)"
| table key value
But what I think you really need is this:
| makeresults
| eval _raw="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3"
| rex max_match=0 "(?<key>[^,\s]+),\s*(?<value>[^,\s]+)"
| eval _raw=mvzip(key, value, "=")
| kv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
04-19-2019
01:51 PM
Hi
Give a try
| makeresults
| eval msg="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3"
| rex max_match=0 field=msg "(?P<key>[^,]+)\,(?P<value>[^,]+)"
| eval key=trim(key)
| eval value=trim(value) |table key,value
OR
| makeresults
| eval msg="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3"
| rex max_match=0 field=msg "(?P<key>[^,]+)\,(?P<value>[^,]+)"
| eval join = mvzip(trim(key),trim(value) )
| mvexpand join
| eval temp = split(join,",")
| eval key=mvindex(temp,0)
| eval value=mvindex(temp,1) |table key, value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-19-2019
01:40 PM
Could you post some real sample event? (mask anything sensitive)? You basically have to find a pattern to identify how TestName and TestValue pairs are written.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chrisboy68
Contributor
04-22-2019
06:18 AM
Thanks for the suggestions, but still struggling. This is from a lookup table, so makeresults is erroring. My base search is:
|inputlookup MyLookUpTable.csv | search ApplicationName=MyApplicaiton
| fields Crit1MetricName Crit1Name Crit1Operator Crit1Type Crit1Value
Crit2MetricName Crit2Name Crit2Operator Crit2Type Crit2Value
Crit3MetricName Crit3Name Crit3Operator Crit3Type Crit3Value
Crit4MetricName Crit4Name Crit4Operator Crit4Type Crit4Value
Crit5MetricName Crit5Name Crit5Operator Crit5Type Crit5Value
the field names are real from the csv. So what I'm looking for is a table to output the following:
Row 1 = Crit1MetricName ,Crit1Name, Crit1Operator, Crit1Type, Crit1Value
Row 2= Crit2MetricName ,Crit2Name ,Crit2Operator, Crit2Type, Crit2Value
Row 3= Crit3MetricName ,Crit3Name, Crit3Operator, Crit3Type, Crit3Value
Row 4 = Crit4MetricName ,Crit4Name, Crit4Operator, Crit4Type, Crit4Value
Row 5 = Crit5MetricName ,Crit5Name ,Crit5Operator, Crit5Type, Crit5Value
Thank you!
Chris
Get Updates on the Splunk Community!
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Splunk AppDynamics Agents Webinar Series
Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open!
If you ...
