Splunk Search

convert table data to comma separated key value pair output

aniket
New Member

I am pretty new to splunk and i have a query which uses TABLE command to filter output on certain fields. The output looks like:

name           designation         salary

ABC             Manager               12345

XYZ             Clerk                         6789

 

I want to convert the output as:
name=ABC, designation=Manager, salary=12345
name=XYZ, designation=Clerk, salary=6789

Not sure how to transform the data. Can anyone help?

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

This is a more generic solution to the problem, using the foreach command. This will concatenate any set of fields into a new field called tmp. It won't guarantee any order though.

| makeresults 
| eval _raw="name           designation         salary
ABC             Manager               12345
XYZ             Clerk                         6789"
| multikv forceheader=1
| table name designation salary
| eval tmp=""
| foreach * [ eval tmp=if("<<MATCHSTR>>"="tmp", tmp, tmp.",<<MATCHSTR>>=".<<FIELD>>) ]
| eval tmp=substr(tmp,2)

 The last 3 lines do the work. 

0 Karma

renjith_nair
Legend

If its a definite set of fields , you can just concatenate them

|eval output="name=".name.",deignation=".designation.",salary=".salary|fields output

 

Run anywhere example

|makeresults|eval name="ABC XYZ"|makemv name|mvexpand name
|appendcols [|makeresults|eval designation="Manager Clerk"|makemv designation|mvexpand designation]
|appendcols [|makeresults|eval salary="12345 6789"|makemv salary|mvexpand salary]
|eval output="name=".name.",deignation=".designation.",salary=".salary|fields output
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...