Re: How to display multi event rows in a table fro...

chrisboy68 · ‎04-19-2019

Hi,

I have data in One event listed as TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3. I want to have them show up on separate rows in a table as:

TestName 1 TestValue 1 
TestName 2 TestValue 2
TestName3 TestValue 3

Tried several examples but nothing worked. Any idea?

Thank you,

Chris

chrisboy68 · ‎04-25-2019

Ok I figured this out based on the tips. "TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" where the actual field names and not the data. Below are the real fields and I had to make up one large field, added delimiters and Regex to slice.

            | eval myCritical =(
                "Critical1:" + "MetricName:" + Crit1MetricName + "Name:" +Crit1Name + "Operator:" + Crit1Operator + "Value:" + Crit1Value + "," + 
                "Critical2:" + "MetricName:" + Crit2MetricName + "Name:" +Crit2Name + "Operator:" + Crit2Operator + "Value:" + Crit2Value + "," + 
                "Critical3:" + "MetricName:" + Crit3MetricName + "Name:" +Crit3Name + "Operator:" + Crit3Operator + "Value:" + Crit3Value + "," + 
                "Critical4:" + "MetricName:" + Crit4MetricName + "Name:" +Crit4Name + "Operator:" + Crit4Operator + "Value:" + Crit4Value + "," + 
                "Critical4:" + "MetricName:" + Crit5MetricName + "Name:" +Crit5Name + "Operator:" + Crit5Operator + "Value:" + Crit5Value + ","  
                ) | rex max_match=0 field=myCritical "(?<Critical>[^,\n]+)" 
            | table Critical

Thank you!

woodcock · ‎04-21-2019

Like this:

| makeresults 
| eval _raw="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" 
| rex max_match=0 "(?<key>[^,\s]+),\s*(?<value>[^,\s]+)"
| table key value

But what I think you really need is this:

| makeresults 
| eval _raw="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" 
| rex max_match=0 "(?<key>[^,\s]+),\s*(?<value>[^,\s]+)"
| eval _raw=mvzip(key, value, "=")
| kv

vnravikumar · ‎04-19-2019

Hi

Give a try

| makeresults 
| eval msg="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" 
| rex max_match=0 field=msg "(?P<key>[^,]+)\,(?P<value>[^,]+)" 
| eval key=trim(key) 
| eval value=trim(value) |table key,value

OR

| makeresults 
| eval msg="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" 
| rex max_match=0 field=msg "(?P<key>[^,]+)\,(?P<value>[^,]+)" 
| eval join = mvzip(trim(key),trim(value) ) 
| mvexpand join 
| eval temp = split(join,",") 
| eval key=mvindex(temp,0) 
| eval value=mvindex(temp,1) |table key, value

somesoni2 · ‎04-19-2019

Could you post some real sample event? (mask anything sensitive)? You basically have to find a pattern to identify how TestName and TestValue pairs are written.

chrisboy68 · ‎04-22-2019

Thanks for the suggestions, but still struggling. This is from a lookup table, so makeresults is erroring. My base search is:

        |inputlookup MyLookUpTable.csv  |  search ApplicationName=MyApplicaiton
         | fields Crit1MetricName Crit1Name Crit1Operator Crit1Type Crit1Value
        Crit2MetricName Crit2Name Crit2Operator Crit2Type Crit2Value
        Crit3MetricName Crit3Name Crit3Operator Crit3Type Crit3Value
        Crit4MetricName Crit4Name Crit4Operator Crit4Type Crit4Value
        Crit5MetricName Crit5Name Crit5Operator Crit5Type Crit5Value

the field names are real from the csv. So what I'm looking for is a table to output the following:

Row 1 = Crit1MetricName ,Crit1Name, Crit1Operator, Crit1Type, Crit1Value
Row 2= Crit2MetricName ,Crit2Name ,Crit2Operator, Crit2Type, Crit2Value
Row 3= Crit3MetricName ,Crit3Name, Crit3Operator, Crit3Type, Crit3Value
Row 4 = Crit4MetricName ,Crit4Name, Crit4Operator, Crit4Type, Crit4Value
Row 5 = Crit5MetricName ,Crit5Name ,Crit5Operator, Crit5Type, Crit5Value

Thank you!
Chris

How to display multi event rows in a table from a single event?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!