Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to add row fields as column fields in splunk

ashishlal82
Explorer
‎06-21-2016 11:58 AM

example: I have

Current output

sha256 md5
000sadasd asdasdasdsad

Desired Output

Hash_type values
sha256 000sadasd
md5 asdasdasdas

I can use eval to create a new field named Hash_type dynamically, but then how do I create new fields within HASH_type as show above?

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-22-2016 12:16 AM

Just add this to your existing search:

... | transpose | rename column AS Hash_type "row 1" AS values
0 Karma
Reply

somesoni2
Revered Legend
‎06-21-2016 02:39 PM

Give this a try

index= bigfix sourcetype = software |stats values(md5) as md5 by sha256 | eval temp=1 | untable temp HASH_TYPE HASH | fields - temp

If you want to merge all values for a particular HASH_TYPE, try this

index= bigfix sourcetype = software |stats values(md5) as md5 by sha256 | eval temp=1 | untable temp HASH_TYPE HASH | stats values(HASH) as HASH by HASH_TYPE
0 Karma
Reply

ashishlal82
Explorer
‎06-28-2016 08:00 AM

I am getting below output when executing this query

index=res sourcetype=res_auth_file_hashes | eval HASH_TYPE = case(len(HASH)=64,"sha256", len(HASH)=32,"md5") | stats values(HASH) as HASH by HASH_TYPE

Output
md5 005ECF2A6C557DDCEC50E8BF5627BA9C
00BB8079A7A4DA87FE5CEBFD3E34864B
00FD993D5756CBB66326895778869269

Desired Output
md5 005ECF2A6C557DDCEC50E8BF5627BA9C
md5 00BB8079A7A4DA87FE5CEBFD3E34864B
md5 00FD993D5756CBB66326895778869269

0 Karma
Reply

pradeepkumarg
Influencer
‎06-21-2016 01:01 PM

Use | transpose | rename column as HASH_TYPE | rename row* as HASH_VALUES* at the end of your search

Reply

ashishlal82
Explorer
‎06-21-2016 02:26 PM

Thanks, this query works partially, renaming row* AS HASH_VALUEs* is creating multiples rows

Current output after executing the above query

Hash_type row1 row2
sha256 0002b43ce3...... 00053ae8...
md5 5f149df4c6..... db0f55d89......

Desired output

Hash_type HASH_VALUES

sha256 0002b43ce3......

00053ae8...

md5 5f149df4c6.....
db0f55d89......

Should I use mvcombine to get the desired output, please suggest?

0 Karma
Reply

ashishlal82
Explorer
‎06-21-2016 02:27 PM

HASH_type and HASH_VAlues are 2 different rows under which Sha256 and md5 comes as HASH_type and their corresponding values.

0 Karma
Reply

sundareshr
Legend
‎06-21-2016 12:11 PM

Can you share your current search? Typically, something like this should work... 

.... | stats values(values) as values by Hast_type
0 Karma
Reply

ashishlal82
Explorer
‎06-21-2016 12:21 PM

Current search : index= bigfix sourcetype = software |stats values(md5) by sha256

sha256 md5
000sadasd asdasdasdsad
235asddas dasda232wded

Desired output

Create a new column HASH_TYPE and HASH

HASH_TYPE HASH
sha256 000sadasd
235asddas
md5 asdasdasdsad
dasda232wded

0 Karma
Reply

splunker1981
Path Finder
‎06-21-2016 12:54 PM

You can do:

 | stats values(md5) AS HASH by sha256 | rename sha256 AS HASH_TYPE
0 Karma
Reply

sundareshr
Legend
‎06-21-2016 12:31 PM

Do you already have the HASH_TYPE and HASH fields extracted? If not, can you share some sample data?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...