Is it possible to split lines and re-use certain f...

wvanloon · ‎10-07-2019

I have thise event:

ID=FAKE_ID_NAME,TS=1570441680,F1=1380,F2=60,F3=60,F4=1500

For my analysis it would be very usefull to get every field to a new line except ID and TS, so the desired output is:

ID=FAKE_ID_NAME,TS=1570441680,F1=1380;
ID=FAKE_ID_NAME,TS=1570441680,F2=60;
ID=FAKE_ID_NAME,TS=1570441680,F3=60;
ID=FAKE_ID_NAME,TS=1570441680,F4=1500;

How can I achieve this?

gcusello · ‎10-07-2019

HI wvanloon,
try something like this:

| makeresults 
| eval ID="FAKE_ID_NAME", TS="1570441680", F1="1380", F2="60", F3="60", F4="1500"
| eval col=ID." ".TS
| stats values(F1) AS F1 values(F2) AS F2 values(F3) AS F3 values(F4) AS F4 BY col
| untable col field value
| rex field=col "^(?<ID>[^ ]*)\s+(?<TS>[^ ]*)"
| eval my_field=field."=".value
| table ID TS my_field

Bye.
Giuseppe

wvanloon · ‎10-07-2019

Thanks!

Another problem is that I don't know which fields i have for each event.
So it can be 1F, 2F, 3F, 4F or something totally different like 1S, 2S, 6S and so on. I still want to duplicate the TS and ID column.

Can that also be solved?

adonio · ‎10-07-2019

what is the problem you are trying to solve?

wvanloon · ‎10-07-2019

I need to join the events based on 2 fields ID and the name of the other fields like F1.

So I have an lookup-table with:

ID;INDEX;Value
FAKE_ID_NAME;F1;95

If you have any other ideas to solve this that would be great!

Is it possible to split lines and re-use certain fields?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation