Solved: How to reformat the table output?

zacksoft · ‎06-06-2018

| base query with some eval commands 
| table a_snake, a_cat, a_dog, b_snake, b_cat, b_dog, c_snake, c_cat, c_dog

However, I want the values to be arranged like this with the column header as SNAKE, CAT, DOG

SNAKE    CAT    DOG
a_snake  a_cat  a_dog
b_snake  b_cat  b_dog
c_snake   c_cat  c_dog

kmaron · ‎06-06-2018

Using what you provided this is what I have

| makeresults 
 | eval animal = "a_cat a_snake a_dog b_cat b_snake b_dog c_cat c_snake c_dog" 
 | makemv animal
 | mvexpand animal
 | rex field=animal "^(?<Letter>.*?)_(?<Type>.*?)$"
 | eval Type = upper(Type)
 | chart values(animal) over Letter by Type
 | fields - Letter

View solution in original post

kmaron · ‎06-06-2018

Using what you provided this is what I have

| makeresults 
 | eval animal = "a_cat a_snake a_dog b_cat b_snake b_dog c_cat c_snake c_dog" 
 | makemv animal
 | mvexpand animal
 | rex field=animal "^(?<Letter>.*?)_(?<Type>.*?)$"
 | eval Type = upper(Type)
 | chart values(animal) over Letter by Type
 | fields - Letter

Richfez · ‎06-06-2018

What do your events actually look like?

And what output does your existing table command show?

(It might actually be useful to know what those eval commands are, but they may not be important)

zacksoft · ‎06-06-2018

The existing output is,
There is One row and Nine columns
And the column headers are left to right specified as a_snake a_cat a_dog b_snake b_cat b_dog .....

kmaron · ‎06-06-2018

are a_snake a_cat, etc field names or values? I feel like you may be generalizing too much and something is getting lost. Your table command treats them like fields but then your example table has them like values.

How to reformat the table output?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases