Solved: How to generate a table where the values of my "se...

kaushik1218 · ‎08-15-2017

Below is the example of single request with multiple lines where ServiceType is different.

Required result to be as below, where Service type is placed into single row with different field names

Happy to take any other suggestions. Thanks in advance

somesoni2 · ‎08-15-2017

Well in your sample output, the field name is same and will not work. If output like below is acceptable, try the query.

OUTPUT

_time, RequestID SiteID Address senderURI serviceType StatusCode
xxx    yyy       xxx    ppp     qqqq      AnalogueTelevision,Broadband,..othervalues.. statuscodevalue

Query

..your current search | stats values(serviceType) as serviceType by   _time, RequestID SiteID Address senderURI StatusCode | nomv serviceType

OR
OUTPUT

_time, RequestID SiteID Address senderURI AnalogueTelevision Broadband DigitalTelevision Telephony StatusCode
xxx    yyy       xxx    ppp     qqqq      yes                yes       yes               yes   statuscodevalue

Query

..your current search | eval temp=_time."#".RequestID."#".SiteID."##".Address."#".senderURI."#".StatusCode | stats count over temp by serviceType | rex field=temp "(?<time>\d+)#(?<RequestID>[^#]+)#(?<SiteID>[^#]+)#(?<Address>[^#]+)#(?<senderURI>[^#]+)#(?<StatusCode>[^#]+)" | fields - temp | rename time as _time| table _time, RequestID SiteID Address senderURI * StatusCode

View solution in original post

somesoni2 · ‎08-15-2017

Well in your sample output, the field name is same and will not work. If output like below is acceptable, try the query.

OUTPUT

_time, RequestID SiteID Address senderURI serviceType StatusCode
xxx    yyy       xxx    ppp     qqqq      AnalogueTelevision,Broadband,..othervalues.. statuscodevalue

Query

..your current search | stats values(serviceType) as serviceType by   _time, RequestID SiteID Address senderURI StatusCode | nomv serviceType

OR
OUTPUT

_time, RequestID SiteID Address senderURI AnalogueTelevision Broadband DigitalTelevision Telephony StatusCode
xxx    yyy       xxx    ppp     qqqq      yes                yes       yes               yes   statuscodevalue

Query

..your current search | eval temp=_time."#".RequestID."#".SiteID."##".Address."#".senderURI."#".StatusCode | stats count over temp by serviceType | rex field=temp "(?<time>\d+)#(?<RequestID>[^#]+)#(?<SiteID>[^#]+)#(?<Address>[^#]+)#(?<senderURI>[^#]+)#(?<StatusCode>[^#]+)" | fields - temp | rename time as _time| table _time, RequestID SiteID Address senderURI * StatusCode

kaushik1218 · ‎08-15-2017

thanks for your fast reply.

Apologies for not mentioning before, what will be the query if new field name of "serviceType" is to be displayed for every serviceType value. Something like below.

servicetype1 servicetype2 servicetype3 servicetype4
xxx yyy zzz www

How to generate a table where the values of my "serviceType" field appear as a column headers?

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?

How to generate a table where the values of my "serviceType" field appear as a column headers?

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...