How do I go from:
”metrics=[a=1,b=2,c=3]”
”metrics=[a=2,b=5,c=6]”
”metrics=[a=1,c=3,c=4]”
To:
“a,b,c”
“1,2,3”
“2,5,6”
“1,3,4”
extract
didn't work I'm using a remotesyslog streaming mechanism (no props.conf, transform.conf)foreach value
thanks
You don't need a transform to use extract
. Try this:
... | extract kvdelim="=" pairdelim=","
richgalloway helped me to troubleshoot extract
command which ultimately makes this problem much easier to deal with
Hi jamesrender,
usually Splunk recognize fields when they are in format field=value, so with a simple table command you can have the requested table:
yoursearch
| table a b c
Bye.
Giuseppe
You don't need a transform to use extract
. Try this:
... | extract kvdelim="=" pairdelim=","
ok, by redirecting my rex'd out field to _raw and THEN running kvdelim, I've got all the fields exposed
| rex field=message "msg=\[\{(?<metrics_detail>.*?)\}\]" | eval _raw=metrics_detail | extract kvdelim="=" pairdelim=","
how do I dump them to a table without explicity doing table a b c
as there are 20 or more fields
What is the expected output from doing this?
I'd think new fields:
a=1
b=2
c=3
I don't see any effect of adding this to the query, no new fields 😞
I've used fieldsummary to see..
extract kvdelim="=" pairdelim=", " | fieldsummary
Try this run-anywhere example. I get separate fields with it.
| makeresults
| eval _raw= "metrics=[a=1,b=2,c=3]"
| extract kvdelim="=" pairdelim=",]"
Yes, that works nicely!
wth, I wonder what gives with my real world corporate data version.
This has helped reassure me that extract
does work!
what is the field that extract
is working on? I've done a rex
to generate a field thats in the metrics=[a=1,b=2,c=3]
format
I've gotten extract
working when I redirect my rex'd field to _raw like so:
| rex field=message "msg=\[\{(?<metrics_detail>.*?)\}\]" | eval _raw=metrics_detail | extract kvdelim="=" pairdelim=","
So now I've a ton of fields, is there a short way to dump a lot of fields out other than explicitly doing table a b c
thanks , helped a lot
You can do |stats values(*) AS *
to display the contents of all non-internal fields.
You can use | fields - _* | table *
to display all non-internal fields.