Splunk Search

splitting and inverting

jamesrender
New Member

How do I go from:

”metrics=[a=1,b=2,c=3]”
”metrics=[a=2,b=5,c=6]”
”metrics=[a=1,c=3,c=4]”    

To:

“a,b,c”
“1,2,3”
“2,5,6”
“1,3,4”
  • There are a lot more key, value pairs in here, so I don't want to rex them out manually
  • extract didn't work I'm using a remotesyslog streaming mechanism (no props.conf, transform.conf)
  • Splitting by comma gave me a multivalue field, I couldn't manage to get much further - I wanted a foreach value

thanks

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You don't need a transform to use extract. Try this:

... | extract kvdelim="=" pairdelim=","
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

jamesrender
New Member

richgalloway helped me to troubleshoot extract command which ultimately makes this problem much easier to deal with

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi jamesrender,
usually Splunk recognize fields when they are in format field=value, so with a simple table command you can have the requested table:

yoursearch
| table a b c

Bye.
Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You don't need a transform to use extract. Try this:

... | extract kvdelim="=" pairdelim=","
---
If this reply helps you, Karma would be appreciated.
0 Karma

jamesrender
New Member

ok, by redirecting my rex'd out field to _raw and THEN running kvdelim, I've got all the fields exposed

| rex field=message "msg=\[\{(?<metrics_detail>.*?)\}\]" | eval _raw=metrics_detail | extract kvdelim="=" pairdelim=","

how do I dump them to a table without explicity doing table a b c as there are 20 or more fields

0 Karma

jamesrender
New Member

What is the expected output from doing this?

I'd think new fields:
a=1
b=2
c=3

I don't see any effect of adding this to the query, no new fields 😞
I've used fieldsummary to see..

extract kvdelim="=" pairdelim=", " | fieldsummary

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this run-anywhere example. I get separate fields with it.

| makeresults 
| eval _raw= "metrics=[a=1,b=2,c=3]" 
| extract kvdelim="=" pairdelim=",]"
---
If this reply helps you, Karma would be appreciated.
0 Karma

jamesrender
New Member

Yes, that works nicely!
wth, I wonder what gives with my real world corporate data version.
This has helped reassure me that extract does work!

0 Karma

jamesrender
New Member

what is the field that extract is working on? I've done a rex to generate a field thats in the metrics=[a=1,b=2,c=3] format

0 Karma

jamesrender
New Member

I've gotten extract working when I redirect my rex'd field to _raw like so:

| rex field=message "msg=\[\{(?<metrics_detail>.*?)\}\]" | eval _raw=metrics_detail | extract kvdelim="=" pairdelim=","

So now I've a ton of fields, is there a short way to dump a lot of fields out other than explicitly doing table a b c

0 Karma

jamesrender
New Member

thanks , helped a lot

0 Karma

elliotproebstel
Champion

You can do |stats values(*) AS * to display the contents of all non-internal fields.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can use | fields - _* | table * to display all non-internal fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...