Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to show a report by extracting multivalued lines

srinathd
Contributor
‎10-30-2014 02:43 AM

I have multivalued lines in my log file like below

abc\xFD123\xFDABC
aus\xFDIND\xFDUK
12\xFD34\xFD56

I have to show the report in table format like below

abc aus 12
123 IND 34
ABC UK 56

how to achieve this using a query. Please let me know

Thanks,
Srinath

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-30-2014 06:09 AM

Hi,

here is a run everywere example of how you can solve this problem. Maybe you have to adjust a little bit by using a table command at the end:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<ex_1>[^\;]+)\;(?<ex_2>[^\;]+)\;(?<ex_3>[^\;]+)\;(?<ex_4>[^\;]+)\;(?<ex_5>[^\;]+)\;(?<ex_6>[^\;]+)\;(?<ex_7>.*)$"

Greetings

Tom

View solution in original post

Reply
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-30-2014 06:09 AM

Hi,

here is a run everywere example of how you can solve this problem. Maybe you have to adjust a little bit by using a table command at the end:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<ex_1>[^\;]+)\;(?<ex_2>[^\;]+)\;(?<ex_3>[^\;]+)\;(?<ex_4>[^\;]+)\;(?<ex_5>[^\;]+)\;(?<ex_6>[^\;]+)\;(?<ex_7>.*)$"

Greetings

Tom

Reply
Solved! Jump to solution

srinathd
Contributor
‎10-30-2014 06:38 AM

Thanks for your answer. The entry in the log will be in this format

abc\xFD123\xFDABC aus\xFDIND\xFDUK 12\xFD34\xFD56

but i need to show in the table like below

abc aus 12

123 IND 34

ABC UK 56

Thanks,
Srinath

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎10-30-2014 07:26 AM

Is this: "abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" all in one line, or in 3 seperate lines? sometimes a screenshot from the data as you can see it in splunk is the best for us to help.

I don't know, this looks pretty messy and complicated, but maybe it helps:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<a_1>[^\;]+)\;(?<a_2>[^\;]+)\;(?<a_3>[^ ]+) (?<b_1>[^\;]+)\;(?<b_2>[^\;]+)\;(?<b_3>[^ ]+) (?<c_1>[^\;]+)\;(?<c_2>[^\;]+)\;(?<c_3>.*)$" | eval row1='a_1'." ".'b_1'." ".'c_1' | eval row2='a_2'." ".'b_2'." ".'c_2' | eval row3='a_3'." ".'b_3'." ".'c_3' | table row* | transpose | rex field="row 1" "(?<value1>[^ ]*) (?<value2>[^ ]*) (?<value3>.*)$" | table value*
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...