Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help creating a table from column type logs

Mrig342
Contributor
‎06-30-2022 03:10 AM

Hi All,

I am trying to create a table out of the log below:

log:

ServerA ServerB ServerC
ADFILES41-6.2-4 not_available ADFILES41-6.2-4.2
ADM41-5.10.1-4 ADM41-5.10.1-4 ADM41-5.10.1-4
ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4
ADM42-5.11-4 ADM42-5.11-4 ADM42-5.11-4
ADM42HF-5.11HF03-4 ADM42HF-5.11HF03-4 not_available
TRA42-5.11-4 TRA42-5.11-4 not_available
not_available ADFILES42-6.2-4 not_available
not_available not_available TRA42-5.13-4

Here you can see that the 1st line gives the server names. 2nd, 3rd,4th and so on lines are applications available in the server.

For eg. From 2nd line you can see that the application ADFILES41-6.2-4 is available in A&C but not in B. Similarly from 9th line you can see that the application TRA42-5.13-4 is available in C but not in A&B.

So the requirement is to create a table in the below way to show if any servers is missing any application.

ServerServerAServerBServerC
ApplicationADFILES41-6.2-4not_availableADFILES41-6.2-4
ApplicationADM41-5.10.1-4ADM41-5.10.1-4ADM41-5.10.1-4
ApplicationADM41HF-5.10.1HF004-4ADM41HF-5.10.1HF004-4ADM41HF-5.10.1HF004-4
ApplicationADM42-5.11-4ADM42-5.11-4ADM42-5.11-4
ApplicationADM42HF-5.11HF03-4ADM42HF-5.11HF03-4not_available
ApplicationTRA42-5.11-4TRA42-5.11-4not_available
Applicationnot_availableADFILES42-6.2-4not_available
Applicationnot_availablenot_availableTRA42-5.13-4

 

Please help me to create a query to get the table in the desired manner.

Any help on the problem would be highly appreciated.

Thank you All..!!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-30-2022 05:30 AM

Check out the multikv command.  It helps to ingest table-formatted data like that.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

Mrig342
Contributor
‎07-05-2022 09:11 AM

Thank you @richgalloway for your insights.

I checked for the spaces between the values and they were equally spaced. Still couldn't get the expected result.

Then I replaced the normal spaces between the values with tab spaces in the logs. And that gave me the result in the expected manner.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-30-2022 05:30 AM

Check out the multikv command.  It helps to ingest table-formatted data like that.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Mrig342
Contributor
‎07-02-2022 09:56 AM

Thank you @richgalloway ...!!

The command multikv helped me break the events per line-wise. However when I used table command to create a table for dashboard it is not what I desired. 

I used this query "**** | multikv forceheader=1 | table ServerA,ServerB,ServerC" and this gave the table as:

ServerServerAServerBServerC
ApplicationADFILES41-6.2-4 not_available ADFILES41-6.2-4
ApplicationADM41-5.10.1-4 ADM41-5.10.1-4 ADM41-5.10.1-4
ApplicationADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4
ApplicationADM42-5.11-4 ADM42-5.11-4 ADM42-5.11-4
ApplicationADM42HF-5.11HF03-4 ADM42HF-5.11HF03-4 not_available
ApplicationTRA42-5.11-4 TRA42-5.11-4 not_available
Applicationnot_availableADFILES42-6.2-4not_available
Applicationnot_availablenot_availableTRA42-5.13-4

I am not able to understand what went wrong here in the query, as the logs are equally spaced and are in a tabular format.

Please help me identify what might have gone wrong or help me modify the query to get the desired output.

Any help on this is highly appreciated.

Thank You All..!!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-02-2022 01:36 PM

Double-check the spacing of the columns.  The multikv command is thrown off by uneven columns.

This worked for me:

| makeresults 
| eval _raw="ServerA              ServerB                ServerC
ADFILES41-6.2-4       not_available         ADFILES41-6.2-4.2
ADM41-5.10.1-4        ADM41-5.10.1-4        ADM41-5.10.1-4
ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4 ADM41HF-5.10.1HF004-4
ADM42-5.11-4          ADM42-5.11-4          ADM42-5.11-4
ADM42HF-5.11HF03-4    ADM42HF-5.11HF03-4    not_available
TRA42-5.11-4          TRA42-5.11-4          not_available
not_available         ADFILES42-6.2-4       not_available
not_available         not_available         TRA42-5.13-4"
| multikv forceheader=1
| table ServerA ServerB ServerC

richgalloway_0-1656794193759.png

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...