Splunk Search
Highlighted

how to add row fields as column fields in splunk

Explorer

example: I have

Current output

sha256 md5
000sadasd asdasdasdsad

Desired Output

Hash_type values
sha256 000sadasd
md5 asdasdasdas

I can use eval to create a new field named Hashtype dynamically, but then how do I create new fields within HASHtype as show above?

Tags (2)
0 Karma
Highlighted

Re: how to add row fields as column fields in splunk

Legend

Can you share your current search? Typically, something like this should work...

.... | stats values(values) as values by Hast_type
0 Karma
Highlighted

Re: how to add row fields as column fields in splunk

Explorer

Current search : index= bigfix sourcetype = software |stats values(md5) by sha256

sha256 md5
000sadasd asdasdasdsad
235asddas dasda232wded

Desired output

Create a new column HASH_TYPE and HASH

HASH_TYPE HASH
sha256 000sadasd
235asddas
md5 asdasdasdsad
dasda232wded

0 Karma
Highlighted

Re: how to add row fields as column fields in splunk

Legend

Do you already have the HASH_TYPE and HASH fields extracted? If not, can you share some sample data?

0 Karma
Highlighted

Re: how to add row fields as column fields in splunk

Path Finder

You can do:

 | stats values(md5) AS HASH by sha256 | rename sha256 AS HASH_TYPE
0 Karma
Highlighted

Re: how to add row fields as column fields in splunk

Influencer

Use | transpose | rename column as HASHTYPE | rename row* as HASHVALUES* at the end of your search

Highlighted

Re: how to add row fields as column fields in splunk

Explorer

Thanks, this query works partially, renaming row* AS HASH_VALUEs* is creating multiples rows

Current output after executing the above query

Hash_type row1 row2
sha256 0002b43ce3...... 00053ae8...
md5 5f149df4c6..... db0f55d89......

Desired output

Hashtype HASHVALUES

sha256 0002b43ce3......

00053ae8...

md5 5f149df4c6.....
db0f55d89......

Should I use mvcombine to get the desired output, please suggest?

0 Karma
Highlighted

Re: how to add row fields as column fields in splunk

Explorer

HASHtype and HASHVAlues are 2 different rows under which Sha256 and md5 comes as HASH_type and their corresponding values.

0 Karma
Highlighted

Re: how to add row fields as column fields in splunk

SplunkTrust
SplunkTrust

Give this a try

index= bigfix sourcetype = software |stats values(md5) as md5 by sha256 | eval temp=1 | untable temp HASH_TYPE HASH | fields - temp

If you want to merge all values for a particular HASH_TYPE, try this

index= bigfix sourcetype = software |stats values(md5) as md5 by sha256 | eval temp=1 | untable temp HASH_TYPE HASH | stats values(HASH) as HASH by HASH_TYPE
0 Karma
Highlighted

Re: how to add row fields as column fields in splunk

Explorer

I am getting below output when executing this query

index=res sourcetype=resauthfilehashes | eval HASHTYPE = case(len(HASH)=64,"sha256", len(HASH)=32,"md5") | stats values(HASH) as HASH by HASH_TYPE

Output
md5 005ECF2A6C557DDCEC50E8BF5627BA9C
00BB8079A7A4DA87FE5CEBFD3E34864B
00FD993D5756CBB66326895778869269

Desired Output
md5 005ECF2A6C557DDCEC50E8BF5627BA9C
md5 00BB8079A7A4DA87FE5CEBFD3E34864B
md5 00FD993D5756CBB66326895778869269

0 Karma