Re: Issue with table command

MadhuriVanga · ‎10-25-2013

Hi,

My saved search looks like below:

index="efg" "$var$" rex "(abc=.*? )(?<payload>.*)(>)" | eval payload=replace(payload,"</.*?:","</") | eval payload=replace(payload,"<[^/]*?:","<") | xpath outfield=AAA "//details/aaa" field=payload|xpath outfield=BBB "//details/bbb" field=payload|xpath outfield=CCC "//details/ccc" field=payload|table AAA, BBB,CCC

When i run this, the table displays the all the values of AAA in a single row, same is the case with values in BBB. Only for CCC field values i am getting all values in different rows. Why is this happening. Please help me resolve this issue.

Currently i am getting the result as shown below:

AAA BBB CCC
1 2 3 4 5 6 1 2 3 4 5 6 1
2
3
4
5
6

lguinn2 · ‎10-28-2013

First, without knowing anything about your data, it is nearly impossible to say why this is happening.
So, a sample of the data (or even a detailed description) would be quite helpful.

Second, it would also nice to see a sample of the results from this search:

index="efg" "$var$" 
| rex "(abc=.*? )(?<payload>.*)(>)" 
| eval payload=replace(payload,"</.*?:","</") 
| eval payload=replace(payload,"<[^/]*?:","<") 
| table payload

That might give you a clue about the results you are seeing.

Issue with table command

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Data Management Digest – May 2026

Index This | What is feather-light but cannot be held long?

.conf26 Registration is Live: Secure Your Early Bird Pass Now

Join the Conversation