Solved: Re: splitting and inverting

jamesrender · ‎10-26-2017

How do I go from:

”metrics=[a=1,b=2,c=3]”
”metrics=[a=2,b=5,c=6]”
”metrics=[a=1,c=3,c=4]”

To:

“a,b,c”
“1,2,3”
“2,5,6”
“1,3,4”

There are a lot more key, value pairs in here, so I don't want to rex them out manually
extract didn't work I'm using a remotesyslog streaming mechanism (no props.conf, transform.conf)
Splitting by comma gave me a multivalue field, I couldn't manage to get much further - I wanted a foreach value

thanks

richgalloway · ‎10-26-2017

You don't need a transform to use extract. Try this:

... | extract kvdelim="=" pairdelim=","

---
If this reply helps you, Karma would be appreciated.

jamesrender · ‎10-26-2017

richgalloway helped me to troubleshoot extract command which ultimately makes this problem much easier to deal with

gcusello · ‎10-26-2017

Hi jamesrender,
usually Splunk recognize fields when they are in format field=value, so with a simple table command you can have the requested table:

yoursearch
| table a b c

Bye.
Giuseppe

richgalloway · ‎10-26-2017

You don't need a transform to use extract. Try this:

... | extract kvdelim="=" pairdelim=","

---
If this reply helps you, Karma would be appreciated.

jamesrender · ‎10-26-2017

ok, by redirecting my rex'd out field to _raw and THEN running kvdelim, I've got all the fields exposed

| rex field=message "msg=\[\{(?<metrics_detail>.*?)\}\]" | eval _raw=metrics_detail | extract kvdelim="=" pairdelim=","

how do I dump them to a table without explicity doing table a b c as there are 20 or more fields

jamesrender · ‎10-26-2017

What is the expected output from doing this?

I'd think new fields:
a=1
b=2
c=3

I don't see any effect of adding this to the query, no new fields 😞
I've used fieldsummary to see..

extract kvdelim="=" pairdelim=", " | fieldsummary

richgalloway · ‎10-26-2017

Try this run-anywhere example. I get separate fields with it.

| makeresults 
| eval _raw= "metrics=[a=1,b=2,c=3]" 
| extract kvdelim="=" pairdelim=",]"

---
If this reply helps you, Karma would be appreciated.

jamesrender · ‎10-26-2017

Yes, that works nicely!
wth, I wonder what gives with my real world corporate data version.
This has helped reassure me that extract does work!

jamesrender · ‎10-26-2017

what is the field that extract is working on? I've done a rex to generate a field thats in the metrics=[a=1,b=2,c=3] format

jamesrender · ‎10-26-2017

I've gotten extract working when I redirect my rex'd field to _raw like so:

| rex field=message "msg=\[\{(?<metrics_detail>.*?)\}\]" | eval _raw=metrics_detail | extract kvdelim="=" pairdelim=","

So now I've a ton of fields, is there a short way to dump a lot of fields out other than explicitly doing table a b c

jamesrender · ‎10-30-2017

thanks , helped a lot

elliotproebstel · ‎10-26-2017

You can do |stats values(*) AS * to display the contents of all non-internal fields.

richgalloway · ‎10-26-2017

You can use | fields - _* | table * to display all non-internal fields.

---
If this reply helps you, Karma would be appreciated.

splitting and inverting