How to a create a table search for my data?

sravankaripe · ‎03-06-2017

i have fields key and value

field "key" contains values

sessionID      
txnID              
eventSeverity
msgType       
appID             
envID

field "value" contains values

mhdshdsjkj87
kjkfdjkjvkfd37
Debug
RESPONSE
MyService
PROD

_________|  table _time key value

-----------------------------------------------

_time              |          key               |       value
------------------------------------------------------------------
 2017-06-03        |   sessionID                |  mhdshdsjkj87
                   |   txnID                    |  kjkfdjkjvkfd37
                   |   eventSeverity            |  Debug
                   |   msgType                  |  RESPONSE
                   |   appID                    |  MyService
                   |   envID                    |  PROD

how can i convert it into

----|table   sessionID      txnID              eventSeverity msgType       appID             envID   

--------------------------------------------------------------------------------------------------------------
sessionID     |     txnID       |  eventSeverity  |  msgType  |    appID      |    envID   
--------------------------------------------------------------------------------------------------------------
mhdshdsjkj87  |  kjkfdjkjvkfd37 |     Debug       | RESPONSE  |  MyService    |    PROD

woodcock · ‎03-09-2017

This spoofs the data:

| makeresults 
| eval key="sessionID::txnID::eventSeverity::msgType::appID:: envID"
| eval value="mhdshdsjkj87::kjkfdjkjvkfd37::Debug::RESPONSE::MyService::PROD"
| makemv delim="::" key
| makemv delim="::" value

This is your solution:

| streamstats count AS _serial
| eval kvp=mvzip(key, value, "=")
| fields - key value
| mvexpand kvp
| rex field=kvp "^(?<key_1>[^=]+)=(?<val_1>.*)$"
| eval {key_1} = val_1
| fields - kvp key_1 val_1
| stats first(_time) AS _time values(*) AS * BY _serial

somesoni2 · ‎03-06-2017

Assuming in your sample data, _time is available in all rows , try this

your current search giving fields _time key value
| xyseries _time key value

How to a create a table search for my data?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!