I'm trying to figure out the best way to extract values currently displayed under the field name "FIELD", for example there are values named "AssignedUser", "ID", "Department"
In my VALUE field I have field values that I want to pair with AssignedUser, ID, Department in the FIELD, in essence creating a new field for each and display their values there.
Try this:
| eval {field that you want the value of to be the name of the new field}=field that you want the value of to be the value of the new field
index=example sourcetype=example:sourcetype
| eval {field1}=field2
| eval {field3}=field4
etc
The key here is the { } around the first field.
AssignedUserOrGroupID
TicketStatusID
AssignedUserOrGroupID
P155T|G48T|G42T
G39T|P145T|P191G|P176G|P147T
P213G|G44T
obviously, I'd like 1-1 pairing instead of multiple values too as in, e.g. G39T|P145T|P191G|P176G|P147T
@johnward4, how do these values for field
and value
appear in your search. Also what is the search you have right now that generates above table in your example. Also are these single valued fields or multi valued.
Following is a run anywhere search based on the data provided. However, depending on your existing search you might need only the final three pipes of the search.
| makeresults
| eval field="AssignedUserOrGroupID,TicketStatusID,AssignedUserOrGroupID"
| eval value="P155T|G48T|G42T,G39T|P145T|P191G|P176G|P147T,P213G|G44T"
| makemv field delim=","
| makemv value delim=","
| eval data=mvzip(field,value)
| mvexpand data
| makemv data delim=","
| eval field=mvindex(data,0),value=mvindex(data,1)
| makemv value delim="|"
| mvexpand value
| table field value
it's just a base index=myindex sourcetype=sourcetypeformylogs and Splunk is extracting fields automatically and I'm interesting in coorelating or pairing the values of two of those fields to create news fields with the data currently under "Value"
if I look at interesting fields, I see this :
Field
AssignedUserOrGroupID
ID
TicketTypeID
Entity
TicketStatusID
AccountID
UserID
ParentObject
Date
FullText
Value
G39T|P145T|P191G|P176G|P147T
G42T|G43T|P159T|P156T|P155T|P185G|P157T|G50G
P156T|G42T
P157T|G48T|G42T
P155T|G48T|G42T
T70T
S1|S2C
Incident
P213G|G44T
You can try the following:
index=myindex sourcetype=sourcetypeformylogs Field=* Values=*
| stats count by Field Value
Or if you are interested in specific Field and Value you can specify in the base search.
index=myindex sourcetype=sourcetypeformylogs Field="TicketTypeID"
| stats last(Value) as Value
| makemv Value delim="|"
| mvexpand Value
Using transpose
may help.
Add this onto the end of your search
| transpose