Splunk Search

How to generate a table where the values of my "serviceType" field appear as a column headers?

kaushik1218
New Member

Below is the example of single request with multiple lines where ServiceType is different.

alt text

Required result to be as below, where Service type is placed into single row with different field names

alt text

Happy to take any other suggestions. Thanks in advance

0 Karma
1 Solution

somesoni2
Revered Legend

Well in your sample output, the field name is same and will not work. If output like below is acceptable, try the query.

OUTPUT

_time, RequestID SiteID Address senderURI serviceType StatusCode
xxx    yyy       xxx    ppp     qqqq      AnalogueTelevision,Broadband,..othervalues.. statuscodevalue

Query

..your current search | stats values(serviceType) as serviceType by   _time, RequestID SiteID Address senderURI StatusCode | nomv serviceType

OR
OUTPUT

_time, RequestID SiteID Address senderURI AnalogueTelevision Broadband DigitalTelevision Telephony StatusCode
xxx    yyy       xxx    ppp     qqqq      yes                yes       yes               yes   statuscodevalue

Query

..your current search | eval temp=_time."#".RequestID."#".SiteID."##".Address."#".senderURI."#".StatusCode | stats count over temp by serviceType | rex field=temp "(?<time>\d+)#(?<RequestID>[^#]+)#(?<SiteID>[^#]+)#(?<Address>[^#]+)#(?<senderURI>[^#]+)#(?<StatusCode>[^#]+)" | fields - temp | rename time as _time| table _time, RequestID SiteID Address senderURI * StatusCode

View solution in original post

0 Karma

somesoni2
Revered Legend

Well in your sample output, the field name is same and will not work. If output like below is acceptable, try the query.

OUTPUT

_time, RequestID SiteID Address senderURI serviceType StatusCode
xxx    yyy       xxx    ppp     qqqq      AnalogueTelevision,Broadband,..othervalues.. statuscodevalue

Query

..your current search | stats values(serviceType) as serviceType by   _time, RequestID SiteID Address senderURI StatusCode | nomv serviceType

OR
OUTPUT

_time, RequestID SiteID Address senderURI AnalogueTelevision Broadband DigitalTelevision Telephony StatusCode
xxx    yyy       xxx    ppp     qqqq      yes                yes       yes               yes   statuscodevalue

Query

..your current search | eval temp=_time."#".RequestID."#".SiteID."##".Address."#".senderURI."#".StatusCode | stats count over temp by serviceType | rex field=temp "(?<time>\d+)#(?<RequestID>[^#]+)#(?<SiteID>[^#]+)#(?<Address>[^#]+)#(?<senderURI>[^#]+)#(?<StatusCode>[^#]+)" | fields - temp | rename time as _time| table _time, RequestID SiteID Address senderURI * StatusCode
0 Karma

kaushik1218
New Member

thanks for your fast reply.

Apologies for not mentioning before, what will be the query if new field name of "serviceType" is to be displayed for every serviceType value. Something like below.

servicetype1 servicetype2 servicetype3 servicetype4
xxx yyy zzz www

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...