Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Split values from each fields from output table

KundanNagare23
Loves-to-Learn Lots
‎12-12-2023 05:54 AM

We got output in table but all values are in one column  for each fields of output table. We want to split values in row. Below is the output table for reference. Please help to split it. tempsnip.png 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

dtburrows3
Builder
‎12-12-2023 03:06 PM

If I am understanding your question correctly I usually parse out an array of json objects as a mutlivalued field first and then use an mvexpand against that MV field. After this you can SPATH each json_object individually so its contents will be on its own row. 

This will also prevent situation where there are some json objects whose key's may have null values and them not properly aligning in the final output.

Here is an example:

| makeresults
    | eval
        event_id=sha256(tostring(random())),
        json_object="[{\"field1\": \"value_a\", \"field2\": \"value_b\", \"field3\": \"value_c\"},{\"field1\": \"value_x\", \"field2\": \"value_y\", \"field3\": \"value_z\"},{\"field1\": \"value_q\", \"field2\": \"value_r\", \"field3\": \"value_s\"},{\"field1\": \"value_a\", \"field2\": \"value_r\", \"field3\": \"value_c\", \"field4\": \"value_w\"},{\"field2\": \"value_a\", \"field3\": \"value_b\", \"field4\": \"value_s\"}]"
    | eval
        mv_json_object=spath(json_object, "{}")
    | fields - json_object
    | mvexpand mv_json_object
    | spath input=mv_json_object
    | fields - mv_json_object
Preview file
118 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 06:19 AM

It's probably better to split the data before the table is created.  Please share the current SPL.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

KundanNagare23
Loves-to-Learn Lots
‎12-12-2023 06:29 AM

@richgalloway Below is SPL  used,

index="*****" host="sclp*" source="*****" "BOLT_ARIBA_ERROR_DETAILS:" "1-57d28402-9058-11ee-83b7-021a6f9d1f1c" "5bda7ec9"
| rex "(?ms)BOLT_ARIBA_ERROR_DETAILS: (?<details>\[.*\])"
| spath input=details output=ERROR_MESSAGE path={}.ERROR_MESSAGE
| spath input=details output=PO_NUMBER path={}.PO_NUMBER
| spath input=details output=MW_ERROR_CODE path={}.MW_ERROR_CODE
| spath input=details output=INVOICE_ID path={}.INVOICE_ID
| spath input=details output=MSG_GUID path={}.MSG_GUID
| spath input=details output=INVOICE_NUMBER path={}.INVOICE_NUMBER
| spath input=details output=UUID path={}.UUID
| spath input=details output=DB_TIMESTAMP path={}.DB_TIMESTAMP
| table ERROR_MESSAGE PO_NUMBER MW_ERROR_CODE INVOICE_ID MSG_GUID INVOICE_NUMBER UUID DB_TIMESTAMP
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 11:52 AM

That's not what I was expecting.  I expected a stats values command that was globbing field values together. 

Can you share a sample event?  How many events are in the sample output?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...