Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I format the output from a Splunk query?

timbCFCA
Path Finder
‎08-18-2011 08:22 AM

How can I format the output from a Splunk query?

For example I have three fields extracted, A, B, C. I'd like to output "For server A service B is in state C". The original format of the log is so horrible (nearly 20 additional fields I don't want) I'd rather not have to have my users have to struggle through reading it in the raw format. The table command doesn't work since how I'm using the output the table headers are useless.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎08-18-2011 09:09 AM

You can concatenate strings together to a new field holding the concatenated string using the eval command and then output that using table or however you want to output the field.

<yourbasesearch> 
| eval userfriendlydesc="For server ".A." service ".B." is in state".C
| table userfriendlydesc

If for some reason you don't want to use table you could change the raw message at search time.

<yourbasesearch> 
| eval _raw="For server ".A." service ".B." is in state".C

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎08-18-2011 09:09 AM

You can concatenate strings together to a new field holding the concatenated string using the eval command and then output that using table or however you want to output the field.

<yourbasesearch> 
| eval userfriendlydesc="For server ".A." service ".B." is in state".C
| table userfriendlydesc

If for some reason you don't want to use table you could change the raw message at search time.

<yourbasesearch> 
| eval _raw="For server ".A." service ".B." is in state".C
Reply
Solved! Jump to solution

timbCFCA
Path Finder
‎08-19-2011 06:34 AM

That is exactly what I was looking for. I hadn't thought about using an eval in that way - I didn't think that the string concatenation like that would work. Many thanks.

0 Karma
Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎08-18-2011 08:44 AM

Can you show the search command you are currently using and perhaps some sample output?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...