Splunk Search

How to get job names divided into separate cells with the same time stamp?

Renunaren
Loves-to-Learn Everything

Hi Team,

We have a splunk XML dashboard as shown in the below snippet.

Renunaren_0-1685506023969.png

In the above table we have extracted the job names from the raw text and arranged those job names in the splunk dashboard table, where we can see that all job names are in single cell but we need those job names divided into separate cells with the same time stamp.

Please help us on this.  Below is the SPL query we have given for the table and the xml code given for the table.

index= app_events_dwh2_de_int _raw=*(*Error*) | eval status="Error" | rex max_match=0 "\\\\\\\\\\\\\"name\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?<name>[^\\\]+)"
| append [ search index=app_events_dwh2_de_int _raw=*(*Error*) | eval rootcause=exc_info] |table "_time", "name", status, rootcause


<panel id="Error_table">
<html>
<H1 style="text-align:center;background-color:#0080FF;">Error Event Details</H1>
<style>
#Error_table {
width: 70% !important;
}
#Error_table1 table thead tr th:nth-child(1){
width: 25% !important;
}
#Error_table1 table thead tr th:nth-child(3){
width: 10% !important;
}
#Error_table1 table thead tr th:nth-child(2){
width: 25% !important;
}
#Error_table1 table thead tr th:nth-child(4){
width: 40% !important;
}
#Error_table1 table td {
row-height: 5px !important;
}
</style>
</html>
<table id="Error_table1">
<search>
<query>index= app_events_dwh2_de_int _raw=*(*Error*) | eval status="Error" | rex max_match=0 "\\\\\\\\\\\\\"name\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?&lt;name&gt;[^\\\]+)"
| append [ search index=app_events_dwh2_de_int _raw=*(*Error*) | eval rootcause=exc_info] |table "_time", "name", status, rootcause</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">6</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="wrap">true</option>
<format type="color" field="name">
<colorPalette type="minMidMax" maxColor="#FFFFFF" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="status">
<colorPalette type="map">{"Error":#FFFFFF}</colorPalette>
</format>
</table>
</panel>

 

Labels (1)
0 Karma

Manasa_401
Communicator

Hello @Renunaren 

try using | mvexpand name

0 Karma

Renunaren
Loves-to-Learn Everything

Hi Manasa,

Thanks for your valuable reply, this has worked actually.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...