Splunk Search

How to pair values of the "FIELD" with values of the "VALUE" field?

johnward4
Communicator

I'm trying to figure out the best way to extract values currently displayed under the field name "FIELD", for example there are values named "AssignedUser", "ID", "Department"

In my VALUE field I have field values that I want to pair with AssignedUser, ID, Department in the FIELD, in essence creating a new field for each and display their values there.

0 Karma

marycordova
SplunkTrust
SplunkTrust

Try this:

| eval {field that you want the value of to be the name of the new field}=field that you want the value of to be the value of the new field

index=example sourcetype=example:sourcetype
| eval {field1}=field2 
| eval {field3}=field4

etc

The key here is the { } around the first field.

@marycordova
0 Karma

johnward4
Communicator

field

AssignedUserOrGroupID

TicketStatusID

AssignedUserOrGroupID

value

P155T|G48T|G42T
G39T|P145T|P191G|P176G|P147T
P213G|G44T

obviously, I'd like 1-1 pairing instead of multiple values too as in, e.g. G39T|P145T|P191G|P176G|P147T

0 Karma

niketn
Legend

@johnward4, how do these values for field and value appear in your search. Also what is the search you have right now that generates above table in your example. Also are these single valued fields or multi valued.

Following is a run anywhere search based on the data provided. However, depending on your existing search you might need only the final three pipes of the search.

| makeresults
| eval field="AssignedUserOrGroupID,TicketStatusID,AssignedUserOrGroupID"
| eval value="P155T|G48T|G42T,G39T|P145T|P191G|P176G|P147T,P213G|G44T"
| makemv field delim="," 
| makemv value delim=","
| eval data=mvzip(field,value)
| mvexpand data
| makemv data delim=","
| eval field=mvindex(data,0),value=mvindex(data,1)
| makemv value delim="|"
| mvexpand value
| table field value
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

johnward4
Communicator

it's just a base index=myindex sourcetype=sourcetypeformylogs and Splunk is extracting fields automatically and I'm interesting in coorelating or pairing the values of two of those fields to create news fields with the data currently under "Value"

if I look at interesting fields, I see this :

Field

Top 10 Values

AssignedUserOrGroupID

ID

TicketTypeID

Entity

TicketStatusID

AccountID

UserID

ParentObject

Date

FullText

Value

Top 10 Values

G39T|P145T|P191G|P176G|P147T

G42T|G43T|P159T|P156T|P155T|P185G|P157T|G50G

P156T|G42T

P157T|G48T|G42T

P155T|G48T|G42T

T70T

S1|S2C

Incident

P213G|G44T

0 Karma

niketn
Legend

You can try the following:

 index=myindex sourcetype=sourcetypeformylogs Field=* Values=*
| stats count by Field Value

Or if you are interested in specific Field and Value you can specify in the base search.

 index=myindex sourcetype=sourcetypeformylogs Field="TicketTypeID"
 | stats last(Value) as Value
 | makemv Value delim="|"
 | mvexpand Value
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Using transpose may help.

Add this onto the end of your search

| transpose

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...