Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

mutlivalue text into real table

duncanzhang1
New Member
‎07-04-2025 12:56 PM

I have a log events that looks like this...

"name|fname|desc|group|cat|exp|set|in abc|abc||Administrators;Users|S||1|1 bbb|bbb|Internal||N||2|2
ccc|ccc|MFT Service ID|Administrators;Users|S||3|3"

the  log event's text is delimited by 6 spaces...

What splunk query do I use to create splunk table like this

namefnamedescgroupcatexpsetin
abcabc Administrators;UsersS 11
bbbbbbInterna N 22
ccccccMFT Service IDAdministrators;UsersS 33



Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-04-2025 09:33 PM

Agree with @PickleRick that you need to clearly demonstrate raw data because the I don't think your raw log looks like what you show.  Is it more like the following?

name|fname|desc|group|cat|exp|set|in
abc|abc||Administrators;Users|S||1|1
bbb|bbb|Internal||N||2|2
ccc|ccc|MFT Service ID|Administrators;Users|S||3|3

In other words, it is multiline pipe (|) delimited text with a header line. (Like default table list from many SQL DBMS's.) The format shown in your original description cannot be reliably processed.

If my speculation about your raw data is correct, you first change delimiter to comma, then use multikv to extract from the table, like this:

| rex mode=sed "s/\|/,/g"
| multikv forceheader=1
| table name	fname	desc	group	cat	exp	set	in

 Here is an emulation for you to play with and compare with real data:

| makeresults
| fields - _time
| eval _raw = "name|fname|desc|group|cat|exp|set|in
abc|abc||Administrators;Users|S||1|1
bbb|bbb|Internal||N||2|2
ccc|ccc|MFT Service ID|Administrators;Users|S||3|3"
``` data emulation above ```

Output from this emulation is

namefnamedescgroupcatexpsetin
abcabc Administrators;UsersS 11
bbbbbbInternal N 22
ccccccMFT Service IDAdministrators;UsersS 33
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-04-2025 01:15 PM

Table is just a method of visualizing data. You need to parse your data into fields.

So the question is what the real data looks like (please copy-paste the raw event into a code block or a preformatted paragraph) and what it means. For now you have a lot of pipe-delimited "fields" but no way of knowing which of them are the "header", which are "data" and how many of "data" rows are there.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...