Solved: How to make a column for a field value in a table?

dhirendra761 · ‎07-31-2018

My data fields is in below table format:

**-----------------------------monitoringData---------------------------key---------------------value**
documentStatus":null,"timestamp":1533032713303}------deliverableType-------null
documentStatus":null,"timestamp":1533032713303}------docType----------------564_AD
documentStatus":null,"timestamp":1533032713303}------acProgram------------432_CE
documentStatus":null,"timestamp":1533032713303}------docId--------------------RR
documentStatus":null,"timestamp":1533032713303}------revisionDate----------14018752
documentStatus":null,"timestamp":1533032713303}------deliverableType-------234
documentStatus":null,"timestamp":1533032713303}------docType----------------3572_BzW
documentStatus":null,"timestamp":1533032713303}------deliverableType-------4516
documentStatus":null,"timestamp":1533032713303}------acProgram-------------432_DE
----------
But my **Requirement** is:

**-----------------------------monitoringData---------------------------deliverableType-------------------------docType**
documentStatus":null,"timestamp":1533032713303}-------null--------------------------------------------564_AD
documentStatus":null,"timestamp":1533032713303}-------4516------------------------------------------3572_BzW
documentStatus":null,"timestamp":1533032713303}-------234--------------------------------------------
----------
Below is my search query:

    sourcetype="adns" | rex max_match=0 field=monitoringData "(?<key>\w+)\":\"?(?<value>\"?[^,\"]+)"|eval b=mvzip(key,value)|mvexpand b| makemv b delim=","|eval key=mvindex(b, 0)| eval value=mvindex(b, 1)|table monitoringData key value
----------

Any help would be appreciated.

Thanks.

harishalipaka · ‎08-01-2018

hi @dhirendra761

try this below query

| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] |table monitoringData key value |chart values(value) over monitoringData by key

If it is helped ypu please accept as a anser 🙂

Thanks
Harish

View solution in original post

niketn · ‎08-01-2018

@dhirendra761 is there any reason why you are not splitting events with timestamp as individual events before indexing? You can avoid creating multi-valued field and then splitting them into individual events at Search Time (which to me is just surplus overhead which can be avoided).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

harishalipaka · ‎08-01-2018

hi @dhirendra761

try this below query

| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] |table monitoringData key value |chart values(value) over monitoringData by key

If it is helped ypu please accept as a anser 🙂

Thanks
Harish

dhirendra761 · ‎08-01-2018

@harishalipaka

yesss. its working ...Thank you very much..

somesoni2 · ‎08-01-2018

Another alternative option is using xyseries command (useful when you don't to apply any aggregation using chart command)

| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] 
|table monitoringData key value
| xyseries monitoringData key value

How to make a column for a field value in a table?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?