Splunk Search

How to display multi event rows in a table from a single event?

chrisboy68
Contributor

Hi,

I have data in One event listed as TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3. I want to have them show up on separate rows in a table as:

TestName 1 TestValue 1 
TestName 2 TestValue 2
TestName3 TestValue 3

Tried several examples but nothing worked. Any idea?

Thank you,

Chris

Tags (2)
0 Karma

chrisboy68
Contributor

Ok I figured this out based on the tips. "TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" where the actual field names and not the data. Below are the real fields and I had to make up one large field, added delimiters and Regex to slice.

            | eval myCritical =(
                "Critical1:" + "MetricName:" + Crit1MetricName + "Name:" +Crit1Name + "Operator:" + Crit1Operator + "Value:" + Crit1Value + "," + 
                "Critical2:" + "MetricName:" + Crit2MetricName + "Name:" +Crit2Name + "Operator:" + Crit2Operator + "Value:" + Crit2Value + "," + 
                "Critical3:" + "MetricName:" + Crit3MetricName + "Name:" +Crit3Name + "Operator:" + Crit3Operator + "Value:" + Crit3Value + "," + 
                "Critical4:" + "MetricName:" + Crit4MetricName + "Name:" +Crit4Name + "Operator:" + Crit4Operator + "Value:" + Crit4Value + "," + 
                "Critical4:" + "MetricName:" + Crit5MetricName + "Name:" +Crit5Name + "Operator:" + Crit5Operator + "Value:" + Crit5Value + ","  
                ) | rex max_match=0 field=myCritical "(?<Critical>[^,\n]+)" 
            | table Critical

Thank you!

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval _raw="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" 
| rex max_match=0 "(?<key>[^,\s]+),\s*(?<value>[^,\s]+)"
| table key value

But what I think you really need is this:

| makeresults 
| eval _raw="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" 
| rex max_match=0 "(?<key>[^,\s]+),\s*(?<value>[^,\s]+)"
| eval _raw=mvzip(key, value, "=")
| kv
0 Karma

vnravikumar
Champion

Hi

Give a try

| makeresults 
| eval msg="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" 
| rex max_match=0 field=msg "(?P<key>[^,]+)\,(?P<value>[^,]+)" 
| eval key=trim(key) 
| eval value=trim(value) |table key,value

OR

| makeresults 
| eval msg="TestName1, TestValue1, TestName2, TestValue2, TestName3, TestValue3" 
| rex max_match=0 field=msg "(?P<key>[^,]+)\,(?P<value>[^,]+)" 
| eval join = mvzip(trim(key),trim(value) ) 
| mvexpand join 
| eval temp = split(join,",") 
| eval key=mvindex(temp,0) 
| eval value=mvindex(temp,1) |table key, value
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you post some real sample event? (mask anything sensitive)? You basically have to find a pattern to identify how TestName and TestValue pairs are written.

0 Karma

chrisboy68
Contributor

Thanks for the suggestions, but still struggling. This is from a lookup table, so makeresults is erroring. My base search is:

        |inputlookup MyLookUpTable.csv  |  search ApplicationName=MyApplicaiton
         | fields Crit1MetricName Crit1Name Crit1Operator Crit1Type Crit1Value
        Crit2MetricName Crit2Name Crit2Operator Crit2Type Crit2Value
        Crit3MetricName Crit3Name Crit3Operator Crit3Type Crit3Value
        Crit4MetricName Crit4Name Crit4Operator Crit4Type Crit4Value
        Crit5MetricName Crit5Name Crit5Operator Crit5Type Crit5Value

the field names are real from the csv. So what I'm looking for is a table to output the following:

Row 1 = Crit1MetricName ,Crit1Name, Crit1Operator, Crit1Type, Crit1Value
Row 2= Crit2MetricName ,Crit2Name ,Crit2Operator, Crit2Type, Crit2Value
Row 3= Crit3MetricName ,Crit3Name, Crit3Operator, Crit3Type, Crit3Value
Row 4 = Crit4MetricName ,Crit4Name, Crit4Operator, Crit4Type, Crit4Value
Row 5 = Crit5MetricName ,Crit5Name ,Crit5Operator, Crit5Type, Crit5Value

Thank you!
Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...