Hi Team,
We have a splunk XML dashboard as shown in the below snippet.
In the above table we have extracted the job names from the raw text and arranged those job names in the splunk dashboard table, where we can see that all job names are in single cell but we need those job names divided into separate cells with the same time stamp.
Please help us on this. Below is the SPL query we have given for the table and the xml code given for the table.
index= app_events_dwh2_de_int _raw=*(*Error*) | eval status="Error" | rex max_match=0 "\\\\\\\\\\\\\"name\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?<name>[^\\\]+)"
| append [ search index=app_events_dwh2_de_int _raw=*(*Error*) | eval rootcause=exc_info] |table "_time", "name", status, rootcause
<panel id="Error_table">
<html>
<H1 style="text-align:center;background-color:#0080FF;">Error Event Details</H1>
<style>
#Error_table {
width: 70% !important;
}
#Error_table1 table thead tr th:nth-child(1){
width: 25% !important;
}
#Error_table1 table thead tr th:nth-child(3){
width: 10% !important;
}
#Error_table1 table thead tr th:nth-child(2){
width: 25% !important;
}
#Error_table1 table thead tr th:nth-child(4){
width: 40% !important;
}
#Error_table1 table td {
row-height: 5px !important;
}
</style>
</html>
<table id="Error_table1">
<search>
<query>index= app_events_dwh2_de_int _raw=*(*Error*) | eval status="Error" | rex max_match=0 "\\\\\\\\\\\\\"name\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?<name>[^\\\]+)"
| append [ search index=app_events_dwh2_de_int _raw=*(*Error*) | eval rootcause=exc_info] |table "_time", "name", status, rootcause</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">6</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="wrap">true</option>
<format type="color" field="name">
<colorPalette type="minMidMax" maxColor="#FFFFFF" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="color" field="status">
<colorPalette type="map">{"Error":#FFFFFF}</colorPalette>
</format>
</table>
</panel>
Hello @Renunaren
try using | mvexpand name
Hi Manasa,
Thanks for your valuable reply, this has worked actually.