Splunk Search

How to place and sort data in a table for a single event based on the field names?

waldez
Engager

Hello,

I'm having trouble breaking apart an event into a chart.

I have an event with 15 data points. The field titles are Alpha_1, Alpha_2, Alpha_3, Bravo_1, Bravo_2... all they way until Echo_3.

I want to table the information with rows, Alpha, Bravo, Charlie, Delta, Echo, and Columns of 1, 2 and 3.

Can someone help me with this search? It's quite complicated because I need to analyze the field names in order to sort the data into the respective place in the table.

Thanks in advance, Waldez

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Assuming you've fixed field name and number, try like this

your base search | table Alpha* Bravo* Charlie* Delta* Echo* | eval temp=1 | untable temp key value | rex field=key "(?<x>\w+)_(?<y>\d+)" | chart values(value) over x by y

Updated
Since your field naming convention has changed (from the example), the rex will change too. Try like this (will corporate Martin's xyseries option as well)

index=my base search| table BN* BS* NE* NW* South* | eval temp=1 | untable temp key value | rex field=key "^(?<x>\w+)_(?<y>.*)"| xyseries x y value

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Assuming you've fixed field name and number, try like this

your base search | table Alpha* Bravo* Charlie* Delta* Echo* | eval temp=1 | untable temp key value | rex field=key "(?<x>\w+)_(?<y>\d+)" | chart values(value) over x by y

Updated
Since your field naming convention has changed (from the example), the rex will change too. Try like this (will corporate Martin's xyseries option as well)

index=my base search| table BN* BS* NE* NW* South* | eval temp=1 | untable temp key value | rex field=key "^(?<x>\w+)_(?<y>.*)"| xyseries x y value

martin_mueller
SplunkTrust
SplunkTrust

The rex call is the one, it was tailored to Alpha_1 etc., try this:

... | rex field=key "(?<x>[^_]+)_(?<y>.+)" | ...

waldez
Engager

That was it! Thanks a ton!

0 Karma

waldez
Engager

For some reason this isn't working. I'm unfamiliar with the rex and untable functions and I'm not certain I'm modifying the syntax correctly. My actual field names are BN_Received_Daily, BN_Sent_Daily, BN_percent_error, BS_Received_Daily, BS_Sent_Daily, BS_percent_error, and so on for NE, NW and South. I'm trying to get to BN, BS, NE, NW, and South for the rows, and Sent_Daily, Received_Daily and Percent_Error for the columns

I tried modifying your recommendation, but it isn't coming out correct, any suggestions? This is what I've got so far (I know I'm screwing something simple up):

index=my base search| table BN* BS* NE* NW* South* | eval temp=1 | untable temp key value | rex field=key "(?\w+)_(?\d+)"| chart values(value) over x by y
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Instead of chart, you could also use the reverse of untable: ... | xyseries x y value

0 Karma

sundareshr
Legend

See if the multivalue commands give you any ideas on how you can achieve this

http://docs.splunk.com/Documentation/Splunk/6.1.9/SearchReference/mvexpand

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...