Solved: how to create each key as a separate field and wit...

rajgowd1 · ‎01-23-2017

Hi,
i have an output something like below, how can we create each key as a separate field and with value?
IFACE
rxpck_s
txpck_s
rxkb_s

system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88"  name="HealthCheck|SAR:IFACE" value="docker0"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88"  name="HealthCheck|SAR:rxpck_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88"  name="HealthCheck|SAR:txpck_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88"  name="HealthCheck|SAR:rxkB_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88"  name="HealthCheck|SAR:txkB_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88"  name="HealthCheck|SAR:rxcmp_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88"  name="HealthCheck|SAR:txcmp_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88"  name="HealthCheck|SAR:rxmcst_s" value="0.00"

somesoni2 · ‎01-23-2017

Give this a try (assuming fields name and value are auto-extracted as they are kv pairs)

your base search | eval commonkey=time."#".HostName| chart values(value) over commonkey by name limit=0
| rex field=commonkey "(?<time>[^#]+)#(?<HostName>.+)" | fields - commonkey | table time HostName *

View solution in original post

woodcock · ‎01-24-2017

Use KV_MODE=AUTO in your props.conf:

https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Propsconf

rajgowd1 · ‎01-24-2017

Hi,
thank you.
in my current project splunk server is maintained by some other team,i need to wait for approval to add KV_MODE=AUTO under props.conf

is there any other way we can achieve from search query?

somesoni2 · ‎01-23-2017

Give this a try (assuming fields name and value are auto-extracted as they are kv pairs)

your base search | eval commonkey=time."#".HostName| chart values(value) over commonkey by name limit=0
| rex field=commonkey "(?<time>[^#]+)#(?<HostName>.+)" | fields - commonkey | table time HostName *

rajgowd1 · ‎01-23-2017

Thank you for your answer but i looking for something different

i am trying to create a dropdown with IFACE and it has values like docker0,eth0 etc

if it is "docker0" then i need to display respective key's with values

IFACE="docker0" then need to display values in table like below

rxpck_s txpck_s
0.00 0.00
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:IFACE" value="docker0"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxpck_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:txpck_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxkB_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:txkB_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxcmp_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:txcmp_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxmcst_s" value="0.00"

somesoni2 · ‎01-23-2017

A cleaner search would be like this to get proper field names.

After running this search, you should be getting fields for each value of the 'name' field. like this

time, HostName, IFACE, rxpck_s , txpck_s, txkB_s, txkB_s ....other fields

If you want to show other fields only for events where IFACE is docker0, then just add a | where IFACE="docker0" at the end of the search.

rajgowd1 · ‎01-23-2017

when i run below search it says error

Error in 'rex' command: Encountered the following error while compiling the regex '(?[^#]+)#(?.+)': Regex: unrecognized character after (? or (?-

rajgowd1 · ‎01-23-2017

Hi Somesoni,
is there any syntax error in above search?

somesoni2 · ‎01-23-2017

You might be missing the name captured groups in your rex. | rex field=commonkey "(?<time>[^#]+)#(?<HostName>.+)"

rajgowd1 · ‎01-23-2017

Thank you.
when i run search with where condition,results are displaying for all IFACE[docker0,eth0,Io]

DalJeanis · ‎01-23-2017

Use a regex to extract the field name, then put the value in curly braces on the left side of an assignment in order to create it as a field. In the code snippet below, I followed up with collapsing together all the individual records by HostName and "system time", so that it all your data would appear as a single line with all fields and values displayed.

[your search here]
| rex field=name "^HealthCheck|SAR:(?<MyFieldName>.*)$"
| eval {MyFieldName}=value 
| stats values(*) as * by HostName "system time"

The above assumes that the fields "name" and value have been defined for extraction. If not , then use this-

 [your search here]
 | rex field=_raw "name\=\"HealthCheck|SAR:(?<MyFieldName>[^\"]*\")"
 | rex field=_raw "value\=\"(?<MyFieldValue>[^\"]*\")"
 | eval {MyFieldName}=MyFieldValue 
 | stats values(*) as * by HostName "system time"

Updated to extract "name" and "value" if needed, escape equal sign.

gcusello · ‎01-23-2017

Hi rajgowd1,
use this regex name\=\"[^:]*\:(?<your_field>[^\"]*)\" in your field extraction or in the following rex command

| rex "name\=\"[^:]*\:(?<your_field>[^\"]*)\""

you can verify it on https://regex101.com/r/XHE72p/1
Bye.
Giuseppe

how to create each key as a separate field and with value?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life