Solved: Re: Can you help me output field name, value from ...

benthehen100 · ‎09-25-2018

Hello,

I'm trying to get a very specific output format that can be fed into our ticketing system.

I have the following table in Splunk, top line is field names:

sender                             recipient                                 subject
lolwut@domain.com     bob@company.com                                   example1
lolwut@domain.com     alice@company.com                                   example2

This can either be a table or a set of stats values() multivalue fields.

I need the final table to output to a CSV like this:

sender            lolwut@domain.com
sender            lolwut@domain.com
recipient         bob@company.com
recipient          alice@company.com
subject            example1
subject            example2

somesoni2 · ‎09-25-2018

Give this a try

your current search giving fields sender recipient subject
| eval temp=1 
| untable temp fieldName fieldValue
| fields - temp

View solution in original post

somesoni2 · ‎09-25-2018

Give this a try

your current search giving fields sender recipient subject
| eval temp=1 
| untable temp fieldName fieldValue
| fields - temp

benthehen100 · ‎09-26-2018

This worked for me, never heard of the untable command and the doc is a bit weak but this got what I needed. Thank you much!

Can you help me output field name, value from stats table to CSV?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases