Splunk Search

How to a create a table search for my data?

sravankaripe
Communicator

i have fields key and value

field "key" contains values

sessionID      
txnID              
eventSeverity
msgType       
appID             
envID             

field "value" contains values

mhdshdsjkj87
kjkfdjkjvkfd37
Debug
RESPONSE
MyService
PROD

_________|  table _time key value

-----------------------------------------------

_time              |          key               |       value
------------------------------------------------------------------
 2017-06-03        |   sessionID                |  mhdshdsjkj87
                   |   txnID                    |  kjkfdjkjvkfd37
                   |   eventSeverity            |  Debug
                   |   msgType                  |  RESPONSE
                   |   appID                    |  MyService
                   |   envID                    |  PROD

how can i convert it into

----|table   sessionID      txnID              eventSeverity msgType       appID             envID   

--------------------------------------------------------------------------------------------------------------
sessionID     |     txnID       |  eventSeverity  |  msgType  |    appID      |    envID   
--------------------------------------------------------------------------------------------------------------
mhdshdsjkj87  |  kjkfdjkjvkfd37 |     Debug       | RESPONSE  |  MyService    |    PROD
0 Karma

woodcock
Esteemed Legend

This spoofs the data:

| makeresults 
| eval key="sessionID::txnID::eventSeverity::msgType::appID:: envID"
| eval value="mhdshdsjkj87::kjkfdjkjvkfd37::Debug::RESPONSE::MyService::PROD"
| makemv delim="::" key
| makemv delim="::" value

This is your solution:

| streamstats count AS _serial
| eval kvp=mvzip(key, value, "=")
| fields - key value
| mvexpand kvp
| rex field=kvp "^(?<key_1>[^=]+)=(?<val_1>.*)$"
| eval {key_1} = val_1
| fields - kvp key_1 val_1
| stats first(_time) AS _time values(*) AS * BY _serial
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming in your sample data, _time is available in all rows , try this

your current search giving fields _time key value
| xyseries _time key value
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...