Issue with table command

MadhuriVanga · ‎10-25-2013

Hi,

My saved search looks like below:

index="efg" "$var$" rex "(abc=.*? )(?<payload>.*)(>)" | eval payload=replace(payload,"</.*?:","</") | eval payload=replace(payload,"<[^/]*?:","<") | xpath outfield=AAA "//details/aaa" field=payload|xpath outfield=BBB "//details/bbb" field=payload|xpath outfield=CCC "//details/ccc" field=payload|table AAA, BBB,CCC

When i run this, the table displays the all the values of AAA in a single row, same is the case with values in BBB. Only for CCC field values i am getting all values in different rows. Why is this happening. Please help me resolve this issue.

Currently i am getting the result as shown below:

AAA BBB CCC
1 2 3 4 5 6 1 2 3 4 5 6 1
2
3
4
5
6

lguinn2 · ‎10-28-2013

First, without knowing anything about your data, it is nearly impossible to say why this is happening.
So, a sample of the data (or even a detailed description) would be quite helpful.

Second, it would also nice to see a sample of the results from this search:

index="efg" "$var$" 
| rex "(abc=.*? )(?<payload>.*)(>)" 
| eval payload=replace(payload,"</.*?:","</") 
| eval payload=replace(payload,"<[^/]*?:","<") 
| table payload

That might give you a clue about the results you are seeing.

Issue with table command

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk