Solved: How to place and sort data in a table for a single...

waldez · ‎04-14-2016

Hello,

I'm having trouble breaking apart an event into a chart.

I have an event with 15 data points. The field titles are Alpha_1, Alpha_2, Alpha_3, Bravo_1, Bravo_2... all they way until Echo_3.

I want to table the information with rows, Alpha, Bravo, Charlie, Delta, Echo, and Columns of 1, 2 and 3.

Can someone help me with this search? It's quite complicated because I need to analyze the field names in order to sort the data into the respective place in the table.

Thanks in advance, Waldez

somesoni2 · ‎04-14-2016

Assuming you've fixed field name and number, try like this

your base search | table Alpha* Bravo* Charlie* Delta* Echo* | eval temp=1 | untable temp key value | rex field=key "(?<x>\w+)_(?<y>\d+)" | chart values(value) over x by y

Updated
Since your field naming convention has changed (from the example), the rex will change too. Try like this (will corporate Martin's xyseries option as well)

index=my base search| table BN* BS* NE* NW* South* | eval temp=1 | untable temp key value | rex field=key "^(?<x>\w+)_(?<y>.*)"| xyseries x y value

View solution in original post

somesoni2 · ‎04-14-2016

Assuming you've fixed field name and number, try like this

your base search | table Alpha* Bravo* Charlie* Delta* Echo* | eval temp=1 | untable temp key value | rex field=key "(?<x>\w+)_(?<y>\d+)" | chart values(value) over x by y

Updated
Since your field naming convention has changed (from the example), the rex will change too. Try like this (will corporate Martin's xyseries option as well)

index=my base search| table BN* BS* NE* NW* South* | eval temp=1 | untable temp key value | rex field=key "^(?<x>\w+)_(?<y>.*)"| xyseries x y value

martin_mueller · ‎04-14-2016

The rex call is the one, it was tailored to Alpha_1 etc., try this:

... | rex field=key "(?<x>[^_]+)_(?<y>.+)" | ...

waldez · ‎04-14-2016

That was it! Thanks a ton!

waldez · ‎04-14-2016

For some reason this isn't working. I'm unfamiliar with the rex and untable functions and I'm not certain I'm modifying the syntax correctly. My actual field names are BN_Received_Daily, BN_Sent_Daily, BN_percent_error, BS_Received_Daily, BS_Sent_Daily, BS_percent_error, and so on for NE, NW and South. I'm trying to get to BN, BS, NE, NW, and South for the rows, and Sent_Daily, Received_Daily and Percent_Error for the columns

I tried modifying your recommendation, but it isn't coming out correct, any suggestions? This is what I've got so far (I know I'm screwing something simple up):

index=my base search| table BN* BS* NE* NW* South* | eval temp=1 | untable temp key value | rex field=key "(?\w+)_(?\d+)"| chart values(value) over x by y

martin_mueller · ‎04-14-2016

Instead of chart, you could also use the reverse of untable: ... | xyseries x y value

sundareshr · ‎04-14-2016

See if the multivalue commands give you any ideas on how you can achieve this

http://docs.splunk.com/Documentation/Splunk/6.1.9/SearchReference/mvexpand

How to place and sort data in a table for a single event based on the field names?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?