Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Issue with table command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue with table command
Hi,
My saved search looks like below:
index="efg" "$var$" rex "(abc=.*? )(?<payload>.*)(>)" | eval payload=replace(payload,"</.*?:","</") | eval payload=replace(payload,"<[^/]*?:","<") | xpath outfield=AAA "//details/aaa" field=payload|xpath outfield=BBB "//details/bbb" field=payload|xpath outfield=CCC "//details/ccc" field=payload|table AAA, BBB,CCC
When i run this, the table displays the all the values of AAA in a single row, same is the case with values in BBB. Only for CCC field values i am getting all values in different rows. Why is this happening. Please help me resolve this issue.
Currently i am getting the result as shown below:
AAA BBB CCC
1 2 3 4 5 6 1 2 3 4 5 6 1
2
3
4
5
6
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, without knowing anything about your data, it is nearly impossible to say why this is happening.
So, a sample of the data (or even a detailed description) would be quite helpful.
Second, it would also nice to see a sample of the results from this search:
index="efg" "$var$"
| rex "(abc=.*? )(?<payload>.*)(>)"
| eval payload=replace(payload,"</.*?:","</")
| eval payload=replace(payload,"<[^/]*?:","<")
| table payload
That might give you a clue about the results you are seeing.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
