Here's my input:
....
....
TradeDetailsDTO [ShortName=ABCD, allocated=600], TradeDetailsDTO [ShortName=EFGH, allocated=400], TradeDetailsDTO [ShortName=IJKL, allocated=300], TradeDetailsDTO [ShortName=MNOP, allocated=700]
....
....
Based on the text above, I am trying to get my output to be displayed in a table like below:
ShortName allocated
ABCD 600
EFGH 400
IJKL 300
MNOP 700
I tried using stats or the foreach commands but neither of them are able to pick up all the four items list in the table above. Note that this list is variable and it may not be 4 items all the time. Please advise.
Try this
your base search | eval z=mvzip(ShortName, allocated, "#") | mvexpand z | rex field=z "(?<ShortName>[^#])#(?<allocated>.*)" | stats values(allocated) as allocated by ShortName
Assuming your fields are extracted (ShortName and allocated) it would be something like this.
basesearch | stats values(ShortName) by allocated
or reverse
|stats values(allocated) by ShortName
Lastly a quick inline regex to extract the fields.
|rex field=_raw "ShortName=(?P<ShortName>\w+),allocated=(?P<allocated>\d+)" |stats values(ShortName) by allocated
Thanks, JDukeSplunk. I tried your solution but it only prints the first row along with the column headers, i.e.:
ShortName allocated
ABCD 600
Am I missing something?