Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Table view
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Table view
Hi Guys in splunk i need to create a report . i am trying to create a table with two columns please find the search key below
messageTypeKey=CM0001 ,disQualificationMessage=Cancelled by validation rules. SafeTimeNoPhoneHasNoEmail
Table messageTypeKey,disQualificationMessage
i need the message key and disqualification message
but the table looks like
CM0001 Cancelled
the message after the Cancelled is not appending
i need some suggestions on this
thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@venkat0896 you can use regular expression to perform field extraction as per your needs. Try the following rex command:
| rex "disQualificationMessage=(?<disQualificationMessage>[^\.]+)\.\sSafeTimeNoPhoneHasNoEmail"
Following is a run anywhere example based on your sample data:
| makeresults
| eval _raw="messageTypeKey=CM0001 ,disQualificationMessage=Cancelled by validation rules. SafeTimeNoPhoneHasNoEmail"
| rex "disQualificationMessage=(?<disQualificationMessage>[^\.]+)\.\sSafeTimeNoPhoneHasNoEmail"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @venkat0896,
This makes total sense because you are allowing splunk to auto-extract the field.
By default the extraction that happens is KV which means key-value and in the case of disQualificationMessage=Cancelled by validation rulesthe value is only Cancelled and not the entire message.
What you will need to do is extract a new field matching exactly what you want to have in the disqualification message. If in your case you need "Cancelled by validation rules. " then you can use the following regex for the extraction :
disQualificationMessage\=(?<disQualificationMessage>[^\.]+)
You can use this run anywhere search to test it out:
| makeresults
| eval A="messageTypeKey=CM0001 ,disQualificationMessage=Cancelled by validation rules. SafeTimeNoPhoneHasNoEmail"
| rex field=A "disQualificationMessage\=(?<disQualificationMessage>[^\.]+)"
Try this for the search in your comment:
source=" " status="Cancelled" | rex field=_raw "disQualificationMessage\=(?<disQualificationMessage>[^\.]+)"| table messageTypeKey,disQualificationMessage
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Can you provide your query with sample events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source=" " status="Cancelled" | table messageTypeKey,disQualificationMessage
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
