Hi,
I have data in One event listed as TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3. I want to have them show up on separate rows in a table as:
TestName 1 TestValue 1
TestName 2 TestValue 2
TestName3 TestValue 3
Tried several examples but nothing worked. Any idea?
Thank you,
Chris
Ok I figured this out based on the tips. "TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" where the actual field names and not the data. Below are the real fields and I had to make up one large field, added delimiters and Regex to slice.
| eval myCritical =(
"Critical1:" + "MetricName:" + Crit1MetricName + "Name:" +Crit1Name + "Operator:" + Crit1Operator + "Value:" + Crit1Value + "," +
"Critical2:" + "MetricName:" + Crit2MetricName + "Name:" +Crit2Name + "Operator:" + Crit2Operator + "Value:" + Crit2Value + "," +
"Critical3:" + "MetricName:" + Crit3MetricName + "Name:" +Crit3Name + "Operator:" + Crit3Operator + "Value:" + Crit3Value + "," +
"Critical4:" + "MetricName:" + Crit4MetricName + "Name:" +Crit4Name + "Operator:" + Crit4Operator + "Value:" + Crit4Value + "," +
"Critical4:" + "MetricName:" + Crit5MetricName + "Name:" +Crit5Name + "Operator:" + Crit5Operator + "Value:" + Crit5Value + ","
) | rex max_match=0 field=myCritical "(?<Critical>[^,\n]+)"
| table Critical
Thank you!
Like this:
| makeresults
| eval _raw="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3"
| rex max_match=0 "(?<key>[^,\s]+),\s*(?<value>[^,\s]+)"
| table key value
But what I think you really need is this:
| makeresults
| eval _raw="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3"
| rex max_match=0 "(?<key>[^,\s]+),\s*(?<value>[^,\s]+)"
| eval _raw=mvzip(key, value, "=")
| kv
Hi
Give a try
| makeresults
| eval msg="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3"
| rex max_match=0 field=msg "(?P<key>[^,]+)\,(?P<value>[^,]+)"
| eval key=trim(key)
| eval value=trim(value) |table key,value
OR
| makeresults
| eval msg="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3"
| rex max_match=0 field=msg "(?P<key>[^,]+)\,(?P<value>[^,]+)"
| eval join = mvzip(trim(key),trim(value) )
| mvexpand join
| eval temp = split(join,",")
| eval key=mvindex(temp,0)
| eval value=mvindex(temp,1) |table key, value
Could you post some real sample event? (mask anything sensitive)? You basically have to find a pattern to identify how TestName and TestValue pairs are written.
Thanks for the suggestions, but still struggling. This is from a lookup table, so makeresults is erroring. My base search is:
|inputlookup MyLookUpTable.csv | search ApplicationName=MyApplicaiton
| fields Crit1MetricName Crit1Name Crit1Operator Crit1Type Crit1Value
Crit2MetricName Crit2Name Crit2Operator Crit2Type Crit2Value
Crit3MetricName Crit3Name Crit3Operator Crit3Type Crit3Value
Crit4MetricName Crit4Name Crit4Operator Crit4Type Crit4Value
Crit5MetricName Crit5Name Crit5Operator Crit5Type Crit5Value
the field names are real from the csv. So what I'm looking for is a table to output the following:
Row 1 = Crit1MetricName ,Crit1Name, Crit1Operator, Crit1Type, Crit1Value
Row 2= Crit2MetricName ,Crit2Name ,Crit2Operator, Crit2Type, Crit2Value
Row 3= Crit3MetricName ,Crit3Name, Crit3Operator, Crit3Type, Crit3Value
Row 4 = Crit4MetricName ,Crit4Name, Crit4Operator, Crit4Type, Crit4Value
Row 5 = Crit5MetricName ,Crit5Name ,Crit5Operator, Crit5Type, Crit5Value
Thank you!
Chris