Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to show a report by extracting multivalued lines

srinathd
Contributor
‎10-30-2014 02:43 AM

I have multivalued lines in my log file like below

abc\xFD123\xFDABC
aus\xFDIND\xFDUK
12\xFD34\xFD56

I have to show the report in table format like below

abc aus 12
123 IND 34
ABC UK 56

how to achieve this using a query. Please let me know

Thanks,
Srinath

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-30-2014 06:09 AM

Hi,

here is a run everywere example of how you can solve this problem. Maybe you have to adjust a little bit by using a table command at the end:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<ex_1>[^\;]+)\;(?<ex_2>[^\;]+)\;(?<ex_3>[^\;]+)\;(?<ex_4>[^\;]+)\;(?<ex_5>[^\;]+)\;(?<ex_6>[^\;]+)\;(?<ex_7>.*)$"

Greetings

Tom

View solution in original post

Reply
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-30-2014 06:09 AM

Hi,

here is a run everywere example of how you can solve this problem. Maybe you have to adjust a little bit by using a table command at the end:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<ex_1>[^\;]+)\;(?<ex_2>[^\;]+)\;(?<ex_3>[^\;]+)\;(?<ex_4>[^\;]+)\;(?<ex_5>[^\;]+)\;(?<ex_6>[^\;]+)\;(?<ex_7>.*)$"

Greetings

Tom

Reply
Solved! Jump to solution

srinathd
Contributor
‎10-30-2014 06:38 AM

Thanks for your answer. The entry in the log will be in this format

abc\xFD123\xFDABC aus\xFDIND\xFDUK 12\xFD34\xFD56

but i need to show in the table like below

abc aus 12

123 IND 34

ABC UK 56

Thanks,
Srinath

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎10-30-2014 07:26 AM

Is this: "abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" all in one line, or in 3 seperate lines? sometimes a screenshot from the data as you can see it in splunk is the best for us to help.

I don't know, this looks pretty messy and complicated, but maybe it helps:

| stats count | fields - count | eval mv_field="abcxFD123xFDABC ausxFDINDxFDUK 12xFD34xFD56" | eval mv_field=replace('mv_field',"xFD",";") | rex field=mv_field "(?<a_1>[^\;]+)\;(?<a_2>[^\;]+)\;(?<a_3>[^ ]+) (?<b_1>[^\;]+)\;(?<b_2>[^\;]+)\;(?<b_3>[^ ]+) (?<c_1>[^\;]+)\;(?<c_2>[^\;]+)\;(?<c_3>.*)$" | eval row1='a_1'." ".'b_1'." ".'c_1' | eval row2='a_2'." ".'b_2'." ".'c_2' | eval row3='a_3'." ".'b_3'." ".'c_3' | table row* | transpose | rex field="row 1" "(?<value1>[^ ]*) (?<value2>[^ ]*) (?<value3>.*)$" | table value*
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...