Splunk Search

Issue with table command

MadhuriVanga
New Member

Hi,

My saved search looks like below:

index="efg" "$var$" rex "(abc=.*? )(?<payload>.*)(>)" | eval payload=replace(payload,"</.*?:","</") | eval payload=replace(payload,"<[^/]*?:","<") | xpath outfield=AAA "//details/aaa" field=payload|xpath outfield=BBB "//details/bbb" field=payload|xpath outfield=CCC "//details/ccc" field=payload|table AAA, BBB,CCC

When i run this, the table displays the all the values of AAA in a single row, same is the case with values in BBB. Only for CCC field values i am getting all values in different rows. Why is this happening. Please help me resolve this issue.

Currently i am getting the result as shown below:

AAA BBB CCC
1 2 3 4 5 6 1 2 3 4 5 6 1
2
3
4
5
6

Tags (1)
0 Karma

lguinn2
Legend

First, without knowing anything about your data, it is nearly impossible to say why this is happening.
So, a sample of the data (or even a detailed description) would be quite helpful.

Second, it would also nice to see a sample of the results from this search:

index="efg" "$var$" 
| rex "(abc=.*? )(?<payload>.*)(>)" 
| eval payload=replace(payload,"</.*?:","</") 
| eval payload=replace(payload,"<[^/]*?:","<") 
| table payload

That might give you a clue about the results you are seeing.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...