Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to show a report by extracting multivalued lines

srinathd
Contributor
‎10-30-2014 02:43 AM

I have multivalued lines in my log file like below

abc\xFD123\xFDABC
aus\xFDIND\xFDUK
12\xFD34\xFD56

I have to show the report in table format like below

abc aus 12
123 IND 34
ABC UK 56

how to achieve this using a query. Please let me know

Thanks,
Srinath

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-30-2014 06:09 AM

Hi,

here is a run everywere example of how you can solve this problem. Maybe you have to adjust a little bit by using a table command at the end:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<ex_1>[^\;]+)\;(?<ex_2>[^\;]+)\;(?<ex_3>[^\;]+)\;(?<ex_4>[^\;]+)\;(?<ex_5>[^\;]+)\;(?<ex_6>[^\;]+)\;(?<ex_7>.*)$"

Greetings

Tom

View solution in original post

Reply
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-30-2014 06:09 AM

Hi,

here is a run everywere example of how you can solve this problem. Maybe you have to adjust a little bit by using a table command at the end:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<ex_1>[^\;]+)\;(?<ex_2>[^\;]+)\;(?<ex_3>[^\;]+)\;(?<ex_4>[^\;]+)\;(?<ex_5>[^\;]+)\;(?<ex_6>[^\;]+)\;(?<ex_7>.*)$"

Greetings

Tom

Reply
Solved! Jump to solution

srinathd
Contributor
‎10-30-2014 06:38 AM

Thanks for your answer. The entry in the log will be in this format

abc\xFD123\xFDABC aus\xFDIND\xFDUK 12\xFD34\xFD56

but i need to show in the table like below

abc aus 12

123 IND 34

ABC UK 56

Thanks,
Srinath

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎10-30-2014 07:26 AM

Is this: "abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" all in one line, or in 3 seperate lines? sometimes a screenshot from the data as you can see it in splunk is the best for us to help.

I don't know, this looks pretty messy and complicated, but maybe it helps:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<a_1>[^\;]+)\;(?<a_2>[^\;]+)\;(?<a_3>[^ ]+) (?<b_1>[^\;]+)\;(?<b_2>[^\;]+)\;(?<b_3>[^ ]+) (?<c_1>[^\;]+)\;(?<c_2>[^\;]+)\;(?<c_3>.*)$" | eval row1='a_1'." ".'b_1'." ".'c_1' | eval row2='a_2'." ".'b_2'." ".'c_2' | eval row3='a_3'." ".'b_3'." ".'c_3' | table row* | transpose | rex field="row 1" "(?<value1>[^ ]*) (?<value2>[^ ]*) (?<value3>.*)$" | table value*
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...