Getting Data In

Translating an event into a table

Nicholas_Key
Splunk Employee
Splunk Employee

Hi all, is there a way to translate this event into a table? This is what I get with my search string:

index="vmware" source="vmware_api" "Inventory Report" | head 1 

datacenter=SF
  cluster=Intel-Hosts
    host=10.1.6.34
      vm=perfVMFS
      vm=NicholasVMTest
      vm=Win2003_x86_template
      vm=LisaSplunk4VMware
      vm=Support_vm_debian
      vm=JMW Ubuntu
      vm=vCenter
  cluster=AMD-Hosts
    host=10.1.12.5
      vm=Windows_2k3_64bit
      vm=SUDAENGW2008
      vm=Windows_XP_JPN
      vm=Windows_XP
      vm=Windows_XP_dev
      vm=Windows_2K_i386
      vm=Splunk4VMWare
    host=10.1.12.4
      vm=OpenSuse_10_x86_64
      vm=CentOS_3.9_i386
      vm=OpenSuse_10_i386
      vm=Windows_Vista_64bit
      vm=Solaris10_x86_64
      vm=CentOS_5.3_x84_64
      vm=LiveCD2
      vm=CentOS_3.9_x86_64
      vm=CentOS_5.1_i386
      vm=Ubuntu_8.0.4_x86_64
      vm=Windows_2k8_32bit
      vm=FreeBSD_6.4_x86_64
      vm=LiveCD1
      vm=Windows_2K8_64bit_JPN
      vm=VMware Infrastructure Management Assistant
      vm=CentOS_4.6_x86_64
      vm=CentOS_5.1_x84_64
      vm=CentOS_4.6_i386
      vm=Ubuntu_8.0.4_i386
      vm=Windows_2k3_32bit
      vm=LiveCD3

The table would eventually looks like this:

Datacenter | Cluster | Host | VM

Any thoughts?

Tags (2)
0 Karma
2 Solutions

gkanapathy
Splunk Employee
Splunk Employee

I would recommend you change the output format if you have control. If you are creating the input source that creates these events, I would not expect it to be a huge change. Please see http://answers.splunk.com/questions/4734/structuring-nested-data for recommendation.

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

Your best bet is to write a custom python search command that restructures every event as desired.

View solution in original post

Nicholas_Key
Splunk Employee
Splunk Employee

I have another thread here about doing join operation
http://answers.splunk.com/questions/5756/not-getting-results-from-join

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

Your best bet is to write a custom python search command that restructures every event as desired.

gkanapathy
Splunk Employee
Splunk Employee

I would recommend you change the output format if you have control. If you are creating the input source that creates these events, I would not expect it to be a huge change. Please see http://answers.splunk.com/questions/4734/structuring-nested-data for recommendation.

gkanapathy
Splunk Employee
Splunk Employee
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Is the format of your output under your control? i.e., are you writing the script, and can you modify how exactly it is output?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...