Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

split transactions in exported excel

user93
Communicator
‎05-20-2020 05:58 AM

Hello,

I have a list of strings that are more meaningful when grouped and viewed together by time. This is great and easy to do in Splunk with the transaction command. However, I need to export this to excel. In the export, the transaction becomes a single line and I want to mimic the format to make the groups easy to read.

I get this is probably more of an excel question, but maybe there is some Splunk pre-formatting I can do to make it easier like separate the individual items in a transaction by commas, or something similar.

Example of transaction output:

I need help | categoryA | _time
help

help me please

what is splunk | category b | _time
splunk
help please splunk

Example of excel extract

I need help help help me please | cat a | _time
what is splunk splunk help please splunk | cat b | time

I want to wrap the values in the excel cell, but I have nothing to note when to wrap and I don't actually know how to wrap a cell.

0 Karma
Reply

to4kawa
Ultra Champion
‎05-23-2020 04:48 PM 
| makeresults
| eval msg=split("I need help,help,help me please",","), category="category_A"
| appendpipe [ eval msg=split("what is splunk,splunk,help please splunk",","), category="category_B"]
| rename COMMENT as "this is sample you provide"
| rename COMMENT as "please check the result. from here, the logic"
| eval msg=mvjoin(msg,",")
| fields msg,category,_time
| table msg,category,_time

Outputing the CSV, please use fields and table for delete extra fields.

0 Karma
Reply

user93
Communicator
‎05-26-2020 01:21 PM

@to4kawa

Hey! Thank you, but this doesn't really fit my needs. I think I confused you with my example.

I need any combination of strings, which are actually separate events now grouped in the transaction, to have a comma after the event to give me a way to wrap them line by line in Excel

The category, I want nothing to do with that, they are just another field value that is important to show in the end report

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...