Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Split values from each fields from output table

KundanNagare23
Loves-to-Learn Lots
‎12-12-2023 05:54 AM

We got output in table but all values are in one column  for each fields of output table. We want to split values in row. Below is the output table for reference. Please help to split it. tempsnip.png 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

dtburrows3
Builder
‎12-12-2023 03:06 PM

If I am understanding your question correctly I usually parse out an array of json objects as a mutlivalued field first and then use an mvexpand against that MV field. After this you can SPATH each json_object individually so its contents will be on its own row. 

This will also prevent situation where there are some json objects whose key's may have null values and them not properly aligning in the final output.

Here is an example:

| makeresults
    | eval
        event_id=sha256(tostring(random())),
        json_object="[{\"field1\": \"value_a\", \"field2\": \"value_b\", \"field3\": \"value_c\"},{\"field1\": \"value_x\", \"field2\": \"value_y\", \"field3\": \"value_z\"},{\"field1\": \"value_q\", \"field2\": \"value_r\", \"field3\": \"value_s\"},{\"field1\": \"value_a\", \"field2\": \"value_r\", \"field3\": \"value_c\", \"field4\": \"value_w\"},{\"field2\": \"value_a\", \"field3\": \"value_b\", \"field4\": \"value_s\"}]"
    | eval
        mv_json_object=spath(json_object, "{}")
    | fields - json_object
    | mvexpand mv_json_object
    | spath input=mv_json_object
    | fields - mv_json_object
Preview file
118 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 06:19 AM

It's probably better to split the data before the table is created.  Please share the current SPL.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

KundanNagare23
Loves-to-Learn Lots
‎12-12-2023 06:29 AM

@richgalloway Below is SPL  used,

index="*****" host="sclp*" source="*****" "BOLT_ARIBA_ERROR_DETAILS:" "1-57d28402-9058-11ee-83b7-021a6f9d1f1c" "5bda7ec9"
| rex "(?ms)BOLT_ARIBA_ERROR_DETAILS: (?<details>\[.*\])"
| spath input=details output=ERROR_MESSAGE path={}.ERROR_MESSAGE
| spath input=details output=PO_NUMBER path={}.PO_NUMBER
| spath input=details output=MW_ERROR_CODE path={}.MW_ERROR_CODE
| spath input=details output=INVOICE_ID path={}.INVOICE_ID
| spath input=details output=MSG_GUID path={}.MSG_GUID
| spath input=details output=INVOICE_NUMBER path={}.INVOICE_NUMBER
| spath input=details output=UUID path={}.UUID
| spath input=details output=DB_TIMESTAMP path={}.DB_TIMESTAMP
| table ERROR_MESSAGE PO_NUMBER MW_ERROR_CODE INVOICE_ID MSG_GUID INVOICE_NUMBER UUID DB_TIMESTAMP
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 11:52 AM

That's not what I was expecting.  I expected a stats values command that was globbing field values together. 

Can you share a sample event?  How many events are in the sample output?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...