Splunk Search

How to reformat the table output?

zacksoft
Contributor
| base query with some eval commands 
| table a_snake, a_cat, a_dog, b_snake, b_cat, b_dog, c_snake, c_cat, c_dog

However, I want the values to be arranged like this with the column header as SNAKE, CAT, DOG

SNAKE    CAT    DOG
a_snake  a_cat  a_dog
b_snake  b_cat  b_dog
c_snake   c_cat  c_dog
0 Karma
1 Solution

kmaron
Motivator

Using what you provided this is what I have

| makeresults 
 | eval animal = "a_cat a_snake a_dog b_cat b_snake b_dog c_cat c_snake c_dog" 
 | makemv animal
 | mvexpand animal
 | rex field=animal "^(?<Letter>.*?)_(?<Type>.*?)$"
 | eval Type = upper(Type)
 | chart values(animal) over Letter by Type
 | fields - Letter

View solution in original post

kmaron
Motivator

Using what you provided this is what I have

| makeresults 
 | eval animal = "a_cat a_snake a_dog b_cat b_snake b_dog c_cat c_snake c_dog" 
 | makemv animal
 | mvexpand animal
 | rex field=animal "^(?<Letter>.*?)_(?<Type>.*?)$"
 | eval Type = upper(Type)
 | chart values(animal) over Letter by Type
 | fields - Letter

Richfez
SplunkTrust
SplunkTrust

What do your events actually look like?

And what output does your existing table command show?

(It might actually be useful to know what those eval commands are, but they may not be important)

0 Karma

zacksoft
Contributor

The existing output is,
There is One row and Nine columns
And the column headers are left to right specified as a_snake a_cat a_dog b_snake b_cat b_dog .....

0 Karma

kmaron
Motivator

are a_snake a_cat, etc field names or values? I feel like you may be generalizing too much and something is getting lost. Your table command treats them like fields but then your example table has them like values.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...