Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to develop a table based on my CSV log format?

balleste
Engager
‎09-29-2016 01:50 AM

I have the following log format and I'm trying to create a table that will have the following format:

"Device","Object","Value" "mail01","Analyzed attachment count","100 #" "mail02","Analyzed attachment count","3 #" "mail03","Analyzed attachment count","300 #" "mail04","Analyzed attachment count","25 #" "mail05","Analyzed attachment count","1000 #"

|Device | Object | Value |
|mail01 | Analyzed attachment count | 100 |
|mail02 | Analyzed attachment count | 3 |
|mail03 | Analyzed attachment count | 300 |
|mail04 | Analyzed attachment count | 25 |
|mail05 | Analyzed attachment count | 1000 |

Any ideas?

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎09-29-2016 08:05 AM

Try like this

your base search to select that event | rex max_match=0 "\"(?<Device>[^\"]+)\",\"(?<Object>[^\"]+)\",\"(?<Value>\d+)\s+#\"" | eval temp=mvzip(mvzip(Device,Object,"#"),"#")  | mvexpand temp | rex field=temp "(?<Device>.+)#(?<Object>.+)#(?<Value>\d+)" | table Device Object Value
Reply

balleste
Engager
‎09-29-2016 12:43 PM

Thanks for the response...I ran it but I get an error with the eval command stating that the arguments of the mvzip command is invalid.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...