Hi,
i have an output something like below, how can we create each key as a separate field and with value?
IFACE
rxpck_s
txpck_s
rxkb_s
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:IFACE" value="docker0"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxpck_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:txpck_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxkB_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:txkB_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxcmp_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:txcmp_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxmcst_s" value="0.00"
Give this a try (assuming fields name and value are auto-extracted as they are kv pairs)
your base search | eval commonkey=time."#".HostName| chart values(value) over commonkey by name limit=0
| rex field=commonkey "(?<time>[^#]+)#(?<HostName>.+)" | fields - commonkey | table time HostName *
Use KV_MODE=AUTO
in your props.conf:
https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Propsconf
Hi,
thank you.
in my current project splunk server is maintained by some other team,i need to wait for approval to add KV_MODE=AUTO under props.conf
is there any other way we can achieve from search query?
Give this a try (assuming fields name and value are auto-extracted as they are kv pairs)
your base search | eval commonkey=time."#".HostName| chart values(value) over commonkey by name limit=0
| rex field=commonkey "(?<time>[^#]+)#(?<HostName>.+)" | fields - commonkey | table time HostName *
Thank you for your answer but i looking for something different
i am trying to create a dropdown with IFACE and it has values like docker0,eth0 etc
if it is "docker0" then i need to display respective key's with values
IFACE="docker0" then need to display values in table like below
rxpck_s txpck_s
0.00 0.00
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:IFACE" value="docker0"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxpck_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:txpck_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxkB_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:txkB_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxcmp_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:txcmp_s" value="0.00"
system time="Mon Jan 23 10:20:59 2017" HostName ="gpd-653-fc88" name="HealthCheck|SAR:rxmcst_s" value="0.00"
A cleaner search would be like this to get proper field names.
your base search | eval commonkey=time."#".HostName | eval name=mvindex(split(name,":"),-1) | chart values(value) over commonkey by name limit=0
| rex field=commonkey "(?[^#]+)#(?.+)" | fields - commonkey | table time HostName *
After running this search, you should be getting fields for each value of the 'name' field. like this
time, HostName, IFACE, rxpck_s , txpck_s, txkB_s, txkB_s ....other fields
If you want to show other fields only for events where IFACE is docker0, then just add a | where IFACE="docker0"
at the end of the search.
when i run below search it says error
Error in 'rex' command: Encountered the following error while compiling the regex '(?[^#]+)#(?.+)': Regex: unrecognized character after (? or (?-
base search | eval commonkey=time."#".HostName | eval name=mvindex(split(name,":"),-1) | chart values(value) over commonkey by name limit=0
| rex field=commonkey "(?[^#]+)#(?.+)" | fields - commonkey | table time HostName *
Hi Somesoni,
is there any syntax error in above search?
You might be missing the name captured groups in your rex. | rex field=commonkey "(?<time>[^#]+)#(?<HostName>.+)"
Thank you.
when i run search with where condition,results are displaying for all IFACE[docker0,eth0,Io]
base search |eval commonkey=time."#".HostName | eval name=mvindex(split(name,":"),-1) | chart values(value) over commonkey by name limit=0| rex field=commonkey "(?[^#]+)#(?.+)" | fields - commonkey | table time HostName * | where IFACE="docker0"
Use a regex to extract the field name, then put the value in curly braces on the left side of an assignment in order to create it as a field. In the code snippet below, I followed up with collapsing together all the individual records by HostName and "system time", so that it all your data would appear as a single line with all fields and values displayed.
[your search here]
| rex field=name "^HealthCheck|SAR:(?<MyFieldName>.*)$"
| eval {MyFieldName}=value
| stats values(*) as * by HostName "system time"
The above assumes that the fields "name" and value have been defined for extraction. If not , then use this-
[your search here]
| rex field=_raw "name\=\"HealthCheck|SAR:(?<MyFieldName>[^\"]*\")"
| rex field=_raw "value\=\"(?<MyFieldValue>[^\"]*\")"
| eval {MyFieldName}=MyFieldValue
| stats values(*) as * by HostName "system time"
Updated to extract "name" and "value" if needed, escape equal sign.
Hi rajgowd1,
use this regex name\=\"[^:]*\:(?<your_field>[^\"]*)\"
in your field extraction or in the following rex command
| rex "name\=\"[^:]*\:(?<your_field>[^\"]*)\""
you can verify it on https://regex101.com/r/XHE72p/1
Bye.
Giuseppe