Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to reassign/move values ​​in other fields ?

mah
Builder
‎12-31-2020 02:43 AM

Hi,

I have a table like that : 

idnameappenv
123test1[app]:my_app[env]:my_env
456test2[env]:my_env[app]:my_app

 

My issue is  is that the values ​​of the header env and app are mixed ...
How to put [app] values ​​in "app" column and [env] values ​​in "env" column ?

Is this possible ?

Thanks !

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-31-2020 06:42 AM 
| makeresults
| eval _raw="id	name	app	env
123	test1	[app]:my_app	[env]:my_env
456	test2	[env]:my_env	[app]:my_app"
| multikv forceheader=1
| table id	name	app	env
| eval tmp=id."#".name
| fields - id name
| untable tmp app env
| rex field=env "\[(?<app>\w+)\]"
| xyseries tmp app env
| rex field=tmp "(?<id>\d+)#(?<name>\w+)"
| table id name app env

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-31-2020 06:49 AM

It looks like the data was not onboarded properly.  Specifically, the fields were not parsed correctly so data sometimes ended up in the wrong fields.

Can you share some raw events and the props.conf and transforms.conf settings used to ingest them?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎12-31-2020 07:03 AM

it seems I have to improve my script, because raws are formated by the script and directly push in a csv. 

I do not index the csv. I run my script on the Search Head. 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-31-2020 06:42 AM 
| makeresults
| eval _raw="id	name	app	env
123	test1	[app]:my_app	[env]:my_env
456	test2	[env]:my_env	[app]:my_app"
| multikv forceheader=1
| table id	name	app	env
| eval tmp=id."#".name
| fields - id name
| untable tmp app env
| rex field=env "\[(?<app>\w+)\]"
| xyseries tmp app env
| rex field=tmp "(?<id>\d+)#(?<name>\w+)"
| table id name app env
Reply
Solved! Jump to solution

mah
Builder
‎12-31-2020 06:49 AM

Perfect ! 

I did not have the logic to do that. 

Thank a lot !

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...