Splunk Search

Table format raw data

Azwaliyana
Path Finder

I want to extract the field that are on the left which are status, monitoirng status, monitoring mode and so on. Multikv command can be used when the header is at the first row. What command should I use in Splunk search if the header is at the first column?

Azwaliyana_0-1636528965952.png

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Convert each event to the equivalent JSON string and then use spath to extract the fields

| makeresults
| eval _raw="Monit 5.26.0 uptime: 320d 5h 28m

Program 'mio_tomcat'
  status                       OK
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  last exit value              0
  last output                  MIO_TOMCAT is running (pid:3994)
  data collected               Tue, 12 Oct 2021 10:02:30
|
Monit 5.26.0 uptime: 320d 5h 28m

Program 'mio_tomcat'
  status                       OK
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  last exit value              0
  last output                  MIO_TOMCAT is running (pid:2486)
  data collected               Tue, 12 Oct 2021 10:02:22"
| eval event=split(_raw,"|")
| mvexpand event
| eval _raw=event
| table _raw



| rex max_match=0 "\s\s(?<name>.{30})(?<value>.*)"
| eval name=mvmap(name,"\"".trim(name)."\"")
| eval value=mvmap(value,"\"".value."\"")
| eval fields=mvzip(name,value,":")
| eval _raw="{".mvjoin(fields,",")."}"
| table _raw
| spath

View solution in original post

Azwaliyana
Path Finder

Yes it represents one event in Splunk.

The raw data 

Monit 5.26.0 uptime: 320d 5h 28m

Program 'mio_tomcat'
  status                       OK
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  last exit value              0
  last output                  MIO_TOMCAT is running (pid:3994)
  data collected               Tue, 12 Oct 2021 10:02:30

Monit 5.26.0 uptime: 320d 5h 28m

Program 'mio_tomcat'
  status                       OK
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  last exit value              0
  last output                  MIO_TOMCAT is running (pid:2486)
  data collected               Tue, 12 Oct 2021 10:02:22

 

The spacing is the same for all events. The columns do line up for all events.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Convert each event to the equivalent JSON string and then use spath to extract the fields

| makeresults
| eval _raw="Monit 5.26.0 uptime: 320d 5h 28m

Program 'mio_tomcat'
  status                       OK
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  last exit value              0
  last output                  MIO_TOMCAT is running (pid:3994)
  data collected               Tue, 12 Oct 2021 10:02:30
|
Monit 5.26.0 uptime: 320d 5h 28m

Program 'mio_tomcat'
  status                       OK
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  last exit value              0
  last output                  MIO_TOMCAT is running (pid:2486)
  data collected               Tue, 12 Oct 2021 10:02:22"
| eval event=split(_raw,"|")
| mvexpand event
| eval _raw=event
| table _raw



| rex max_match=0 "\s\s(?<name>.{30})(?<value>.*)"
| eval name=mvmap(name,"\"".trim(name)."\"")
| eval value=mvmap(value,"\"".value."\"")
| eval fields=mvzip(name,value,":")
| eval _raw="{".mvjoin(fields,",")."}"
| table _raw
| spath

ITWhisperer
SplunkTrust
SplunkTrust

Does this represent one event in splunk?

Can you share some raw event examples in a code block </>?

Is the spacing the same in all the events e.g. do all the columns line up in all the events?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...