Splunk Search

splitting and inverting

New Member

How do I go from:

”metrics=[a=1,b=2,c=3]”
”metrics=[a=2,b=5,c=6]”
”metrics=[a=1,c=3,c=4]”    

To:

“a,b,c”
“1,2,3”
“2,5,6”
“1,3,4”
  • There are a lot more key, value pairs in here, so I don't want to rex them out manually
  • extract didn't work I'm using a remotesyslog streaming mechanism (no props.conf, transform.conf)
  • Splitting by comma gave me a multivalue field, I couldn't manage to get much further - I wanted a foreach value

thanks

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You don't need a transform to use extract. Try this:

... | extract kvdelim="=" pairdelim=","
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

New Member

richgalloway helped me to troubleshoot extract command which ultimately makes this problem much easier to deal with

0 Karma

SplunkTrust
SplunkTrust

Hi jamesrender,
usually Splunk recognize fields when they are in format field=value, so with a simple table command you can have the requested table:

yoursearch
| table a b c

Bye.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

You don't need a transform to use extract. Try this:

... | extract kvdelim="=" pairdelim=","
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

New Member

ok, by redirecting my rex'd out field to _raw and THEN running kvdelim, I've got all the fields exposed

| rex field=message "msg=\[\{(?<metrics_detail>.*?)\}\]" | eval _raw=metrics_detail | extract kvdelim="=" pairdelim=","

how do I dump them to a table without explicity doing table a b c as there are 20 or more fields

0 Karma

New Member

What is the expected output from doing this?

I'd think new fields:
a=1
b=2
c=3

I don't see any effect of adding this to the query, no new fields 😞
I've used fieldsummary to see..

extract kvdelim="=" pairdelim=", " | fieldsummary

0 Karma

SplunkTrust
SplunkTrust

Try this run-anywhere example. I get separate fields with it.

| makeresults 
| eval _raw= "metrics=[a=1,b=2,c=3]" 
| extract kvdelim="=" pairdelim=",]"
---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Yes, that works nicely!
wth, I wonder what gives with my real world corporate data version.
This has helped reassure me that extract does work!

0 Karma

New Member

what is the field that extract is working on? I've done a rex to generate a field thats in the metrics=[a=1,b=2,c=3] format

0 Karma

New Member

I've gotten extract working when I redirect my rex'd field to _raw like so:

| rex field=message "msg=\[\{(?<metrics_detail>.*?)\}\]" | eval _raw=metrics_detail | extract kvdelim="=" pairdelim=","

So now I've a ton of fields, is there a short way to dump a lot of fields out other than explicitly doing table a b c

0 Karma

New Member

thanks , helped a lot

0 Karma

You can do |stats values(*) AS * to display the contents of all non-internal fields.

0 Karma

SplunkTrust
SplunkTrust

You can use | fields - _* | table * to display all non-internal fields.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!