Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Split values from each fields from output table

KundanNagare23
Loves-to-Learn Lots
‎12-12-2023 05:54 AM

We got output in table but all values are in one column  for each fields of output table. We want to split values in row. Below is the output table for reference. Please help to split it. tempsnip.png 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

dtburrows3
Builder
‎12-12-2023 03:06 PM

If I am understanding your question correctly I usually parse out an array of json objects as a mutlivalued field first and then use an mvexpand against that MV field. After this you can SPATH each json_object individually so its contents will be on its own row. 

This will also prevent situation where there are some json objects whose key's may have null values and them not properly aligning in the final output.

Here is an example:

| makeresults
    | eval
        event_id=sha256(tostring(random())),
        json_object="[{\"field1\": \"value_a\", \"field2\": \"value_b\", \"field3\": \"value_c\"},{\"field1\": \"value_x\", \"field2\": \"value_y\", \"field3\": \"value_z\"},{\"field1\": \"value_q\", \"field2\": \"value_r\", \"field3\": \"value_s\"},{\"field1\": \"value_a\", \"field2\": \"value_r\", \"field3\": \"value_c\", \"field4\": \"value_w\"},{\"field2\": \"value_a\", \"field3\": \"value_b\", \"field4\": \"value_s\"}]"
    | eval
        mv_json_object=spath(json_object, "{}")
    | fields - json_object
    | mvexpand mv_json_object
    | spath input=mv_json_object
    | fields - mv_json_object
Preview file
118 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 06:19 AM

It's probably better to split the data before the table is created.  Please share the current SPL.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

KundanNagare23
Loves-to-Learn Lots
‎12-12-2023 06:29 AM

@richgalloway Below is SPL  used,

index="*****" host="sclp*" source="*****" "BOLT_ARIBA_ERROR_DETAILS:" "1-57d28402-9058-11ee-83b7-021a6f9d1f1c" "5bda7ec9"
| rex "(?ms)BOLT_ARIBA_ERROR_DETAILS: (?<details>\[.*\])"
| spath input=details output=ERROR_MESSAGE path={}.ERROR_MESSAGE
| spath input=details output=PO_NUMBER path={}.PO_NUMBER
| spath input=details output=MW_ERROR_CODE path={}.MW_ERROR_CODE
| spath input=details output=INVOICE_ID path={}.INVOICE_ID
| spath input=details output=MSG_GUID path={}.MSG_GUID
| spath input=details output=INVOICE_NUMBER path={}.INVOICE_NUMBER
| spath input=details output=UUID path={}.UUID
| spath input=details output=DB_TIMESTAMP path={}.DB_TIMESTAMP
| table ERROR_MESSAGE PO_NUMBER MW_ERROR_CODE INVOICE_ID MSG_GUID INVOICE_NUMBER UUID DB_TIMESTAMP
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 11:52 AM

That's not what I was expecting.  I expected a stats values command that was globbing field values together. 

Can you share a sample event?  How many events are in the sample output?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...