Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to show a report by extracting multivalued lines

srinathd
Contributor
‎10-30-2014 02:43 AM

I have multivalued lines in my log file like below

abc\xFD123\xFDABC
aus\xFDIND\xFDUK
12\xFD34\xFD56

I have to show the report in table format like below

abc aus 12
123 IND 34
ABC UK 56

how to achieve this using a query. Please let me know

Thanks,
Srinath

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-30-2014 06:09 AM

Hi,

here is a run everywere example of how you can solve this problem. Maybe you have to adjust a little bit by using a table command at the end:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<ex_1>[^\;]+)\;(?<ex_2>[^\;]+)\;(?<ex_3>[^\;]+)\;(?<ex_4>[^\;]+)\;(?<ex_5>[^\;]+)\;(?<ex_6>[^\;]+)\;(?<ex_7>.*)$"

Greetings

Tom

View solution in original post

Reply
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-30-2014 06:09 AM

Hi,

here is a run everywere example of how you can solve this problem. Maybe you have to adjust a little bit by using a table command at the end:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<ex_1>[^\;]+)\;(?<ex_2>[^\;]+)\;(?<ex_3>[^\;]+)\;(?<ex_4>[^\;]+)\;(?<ex_5>[^\;]+)\;(?<ex_6>[^\;]+)\;(?<ex_7>.*)$"

Greetings

Tom

Reply
Solved! Jump to solution

srinathd
Contributor
‎10-30-2014 06:38 AM

Thanks for your answer. The entry in the log will be in this format

abc\xFD123\xFDABC aus\xFDIND\xFDUK 12\xFD34\xFD56

but i need to show in the table like below

abc aus 12

123 IND 34

ABC UK 56

Thanks,
Srinath

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎10-30-2014 07:26 AM

Is this: "abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" all in one line, or in 3 seperate lines? sometimes a screenshot from the data as you can see it in splunk is the best for us to help.

I don't know, this looks pretty messy and complicated, but maybe it helps:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<a_1>[^\;]+)\;(?<a_2>[^\;]+)\;(?<a_3>[^ ]+) (?<b_1>[^\;]+)\;(?<b_2>[^\;]+)\;(?<b_3>[^ ]+) (?<c_1>[^\;]+)\;(?<c_2>[^\;]+)\;(?<c_3>.*)$" | eval row1='a_1'." ".'b_1'." ".'c_1' | eval row2='a_2'." ".'b_2'." ".'c_2' | eval row3='a_3'." ".'b_3'." ".'c_3' | table row* | transpose | rex field="row 1" "(?<value1>[^ ]*) (?<value2>[^ ]*) (?<value3>.*)$" | table value*
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...