Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: I have a list of data. I want to show them in ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a list of data. I want to show them in a table
aadya1985
Loves-to-Learn
04-10-2019
06:51 AM
Hi, I am trying to create a table for data values in the list but I am able to get the first one only. The query I am using:
convert timeformat="%m/%d/%Y %H:%M:%S" mktime(_time)| rex field=_raw "\"DATALIST_R[0-9]{4}_C0001\":\"(?<DATALIST_C0001>.*?)\""| rex field=_raw "\"DATALIST_R[0-9]{4}_C0002\":\"(?<DATALIST_C0002>.*?)\""| eval zip = mvzip(DATALIST_C0001,DATALIST_C0002 )| mvexpand zip | rex field=zip "(?<task>.*),(?<dataVal>.*)" | table _time, Key, zip,task, dataVal
Raw data is:
"DATALIST_Format":"list","DATALIST_Unit":"percent","DATALIST_Date":"04/10/2019 09:01:30","DATALIST_R0001_refno":1,"DATALIST_R0001_percent":0.007,"DATALIST_R0001_C0001":"CLASS1","DATALIST_R0001_C0002":0.007,"DATALIST_R0002_refno":2,"DATALIST_R0002_percent":0.004,"DATALIST_R0002_C0001":"CLASS2","DATALIST_R0002_C0002":0.004,"DATALIST_R0003_refno":3,"DATALIST_R0003_percent":0.004,"DATALIST_R0003_C0001":"CLASS3","DATALIST_R0003_C0002":0.004,"DATALIST_R0004_refno":4,"DATALIST_R0004_percent":0.003,"DATALIST_R0004_C0001":"CLASS12","DATALIST_R0004_C0002":0.003
Fields data is:
DATALIST_Format: list
DATALIST_R0001_C0001: CLASS1
DATALIST_R0001_C0002: 0.007
DATALIST_R0001_percent: 0.007
DATALIST_R0001_refno: 1
DATALIST_R0002_C0001: CLASS2
DATALIST_R0002_C0002: 0.004
DATALIST_R0002_percent: 0.004
DATALIST_R0002_refno: 2
DATALIST_R0003_C0001: CLASS3
DATALIST_R0003_C0002: 0.004
DATALIST_R0003_percent: 0.004
DATALIST_R0003_refno: 3
DATALIST_R0004_C0001: CLASS12
DATALIST_R0004_C0002: 0.003
DATALIST_R0004_percent: 0.003
DATALIST_R0003_refno: 4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-10-2019
08:50 AM
The rex command by default does single match. Since there are multiple values in your data, just include max_match=0 in your rex commands.
convert timeformat="%m/%d/%Y %H:%M:%S" mktime(_time)| rex max_match=0 field=_raw "\"DATALIST_R[0-9]{4}_C0001\":\"(?<DATALIST_C0001>.*?)\""| rex max_match=0 field=_raw "\"DATALIST_R[0-9]{4}_C0002\":\"(?<DATALIST_C0002>.*?)\""| eval zip = mvzip(DATALIST_C0001,DATALIST_C0002 )| mvexpand zip | rex field=zip "(?<task>.*),(?<dataVal>.*)" | table _time, Key, zip,task, dataVal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
04-10-2019
08:47 AM
I didn't understand your question properly but if you want to extract data from sample raw data you have provided then try below query
<yourBaseSearch>
| extract pairdelim=",", kvdelim=":"
| table DATA*
Get Updates on the Splunk Community!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
April 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
A Guide To Cloud Migration Success
As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...
Join Us for Splunk University and Get Your Bootcamp Game On!
If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...
