Splunk Search

How to make a column for a field value in a table?

dhirendra761
Contributor

My data fields is in below table format:

**-----------------------------monitoringData---------------------------key---------------------value**
documentStatus":null,"timestamp":1533032713303}------deliverableType-------null
documentStatus":null,"timestamp":1533032713303}------docType----------------564_AD
documentStatus":null,"timestamp":1533032713303}------acProgram------------432_CE
documentStatus":null,"timestamp":1533032713303}------docId--------------------RR
documentStatus":null,"timestamp":1533032713303}------revisionDate----------14018752
documentStatus":null,"timestamp":1533032713303}------deliverableType-------234
documentStatus":null,"timestamp":1533032713303}------docType----------------3572_BzW
documentStatus":null,"timestamp":1533032713303}------deliverableType-------4516
documentStatus":null,"timestamp":1533032713303}------acProgram-------------432_DE
----------
But my **Requirement** is:

**-----------------------------monitoringData---------------------------deliverableType-------------------------docType**
documentStatus":null,"timestamp":1533032713303}-------null--------------------------------------------564_AD
documentStatus":null,"timestamp":1533032713303}-------4516------------------------------------------3572_BzW
documentStatus":null,"timestamp":1533032713303}-------234--------------------------------------------
----------
Below is my search query:

    sourcetype="adns" | rex max_match=0 field=monitoringData "(?<key>\w+)\":\"?(?<value>\"?[^,\"]+)"|eval b=mvzip(key,value)|mvexpand b| makemv b delim=","|eval key=mvindex(b, 0)| eval value=mvindex(b, 1)|table monitoringData key value
----------

Any help would be appreciated.

Thanks.

0 Karma
1 Solution

harishalipaka
Motivator

hi @dhirendra761

try this below query

| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] |table monitoringData key value |chart values(value) over monitoringData by key

If it is helped ypu please accept as a anser 🙂

Thanks
Harish

View solution in original post

niketn
Legend

@dhirendra761 is there any reason why you are not splitting events with timestamp as individual events before indexing? You can avoid creating multi-valued field and then splitting them into individual events at Search Time (which to me is just surplus overhead which can be avoided).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

harishalipaka
Motivator

hi @dhirendra761

try this below query

| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] |table monitoringData key value |chart values(value) over monitoringData by key

If it is helped ypu please accept as a anser 🙂

Thanks
Harish

dhirendra761
Contributor

@harishalipaka

yesss. its working ...Thank you very much..

0 Karma

somesoni2
Revered Legend

Another alternative option is using xyseries command (useful when you don't to apply any aggregation using chart command)

| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] 
|table monitoringData key value
| xyseries monitoringData key value
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...