Splunk Search

How to make a column for a field value in a table?

dhirendra761
Contributor

My data fields is in below table format:

**-----------------------------monitoringData---------------------------key---------------------value**
documentStatus":null,"timestamp":1533032713303}------deliverableType-------null
documentStatus":null,"timestamp":1533032713303}------docType----------------564_AD
documentStatus":null,"timestamp":1533032713303}------acProgram------------432_CE
documentStatus":null,"timestamp":1533032713303}------docId--------------------RR
documentStatus":null,"timestamp":1533032713303}------revisionDate----------14018752
documentStatus":null,"timestamp":1533032713303}------deliverableType-------234
documentStatus":null,"timestamp":1533032713303}------docType----------------3572_BzW
documentStatus":null,"timestamp":1533032713303}------deliverableType-------4516
documentStatus":null,"timestamp":1533032713303}------acProgram-------------432_DE
----------
But my **Requirement** is:

**-----------------------------monitoringData---------------------------deliverableType-------------------------docType**
documentStatus":null,"timestamp":1533032713303}-------null--------------------------------------------564_AD
documentStatus":null,"timestamp":1533032713303}-------4516------------------------------------------3572_BzW
documentStatus":null,"timestamp":1533032713303}-------234--------------------------------------------
----------
Below is my search query:

    sourcetype="adns" | rex max_match=0 field=monitoringData "(?<key>\w+)\":\"?(?<value>\"?[^,\"]+)"|eval b=mvzip(key,value)|mvexpand b| makemv b delim=","|eval key=mvindex(b, 0)| eval value=mvindex(b, 1)|table monitoringData key value
----------

Any help would be appreciated.

Thanks.

0 Karma
1 Solution

harishalipaka
Motivator

hi @dhirendra761

try this below query

| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] |table monitoringData key value |chart values(value) over monitoringData by key

If it is helped ypu please accept as a anser 🙂

Thanks
Harish

View solution in original post

niketn
Legend

@dhirendra761 is there any reason why you are not splitting events with timestamp as individual events before indexing? You can avoid creating multi-valued field and then splitting them into individual events at Search Time (which to me is just surplus overhead which can be avoided).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

harishalipaka
Motivator

hi @dhirendra761

try this below query

| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] |table monitoringData key value |chart values(value) over monitoringData by key

If it is helped ypu please accept as a anser 🙂

Thanks
Harish

dhirendra761
Contributor

@harishalipaka

yesss. its working ...Thank you very much..

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Another alternative option is using xyseries command (useful when you don't to apply any aggregation using chart command)

| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] 
|table monitoringData key value
| xyseries monitoringData key value
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...