Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to show a report by extracting multivalued lines

srinathd
Contributor
‎10-30-2014 02:43 AM

I have multivalued lines in my log file like below

abc\xFD123\xFDABC
aus\xFDIND\xFDUK
12\xFD34\xFD56

I have to show the report in table format like below

abc aus 12
123 IND 34
ABC UK 56

how to achieve this using a query. Please let me know

Thanks,
Srinath

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-30-2014 06:09 AM

Hi,

here is a run everywere example of how you can solve this problem. Maybe you have to adjust a little bit by using a table command at the end:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<ex_1>[^\;]+)\;(?<ex_2>[^\;]+)\;(?<ex_3>[^\;]+)\;(?<ex_4>[^\;]+)\;(?<ex_5>[^\;]+)\;(?<ex_6>[^\;]+)\;(?<ex_7>.*)$"

Greetings

Tom

View solution in original post

Reply
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-30-2014 06:09 AM

Hi,

here is a run everywere example of how you can solve this problem. Maybe you have to adjust a little bit by using a table command at the end:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<ex_1>[^\;]+)\;(?<ex_2>[^\;]+)\;(?<ex_3>[^\;]+)\;(?<ex_4>[^\;]+)\;(?<ex_5>[^\;]+)\;(?<ex_6>[^\;]+)\;(?<ex_7>.*)$"

Greetings

Tom

Reply
Solved! Jump to solution

srinathd
Contributor
‎10-30-2014 06:38 AM

Thanks for your answer. The entry in the log will be in this format

abc\xFD123\xFDABC aus\xFDIND\xFDUK 12\xFD34\xFD56

but i need to show in the table like below

abc aus 12

123 IND 34

ABC UK 56

Thanks,
Srinath

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎10-30-2014 07:26 AM

Is this: "abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" all in one line, or in 3 seperate lines? sometimes a screenshot from the data as you can see it in splunk is the best for us to help.

I don't know, this looks pretty messy and complicated, but maybe it helps:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<a_1>[^\;]+)\;(?<a_2>[^\;]+)\;(?<a_3>[^ ]+) (?<b_1>[^\;]+)\;(?<b_2>[^\;]+)\;(?<b_3>[^ ]+) (?<c_1>[^\;]+)\;(?<c_2>[^\;]+)\;(?<c_3>.*)$" | eval row1='a_1'." ".'b_1'." ".'c_1' | eval row2='a_2'." ".'b_2'." ".'c_2' | eval row3='a_3'." ".'b_3'." ".'c_3' | table row* | transpose | rex field="row 1" "(?<value1>[^ ]*) (?<value2>[^ ]*) (?<value3>.*)$" | table value*
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...