topic How to number each line in a multiline event? in Getting Data In

How to number each line in a multiline event?

landen99 — Tue, 14 Apr 2015 14:43:44 GMT

Is there a way to take a multiline event:

a 1 b 2
c 2 d 4
e 5 c 6

and number each line?

1 a 1 b 2
2 c 2 d 4
3 e 5 c 6

like this?

Maybe using streamstats and current=f?

Re: How to number each line in a multiline event?

alacercogitatus — Tue, 14 Apr 2015 19:47:24 GMT

Streamstats should work.

<your_search> | streamstats count as EVTCOUNT

Each event then should have EVTCOUNT, one per event, increasing.

Re: How to number each line in a multiline event?

landen99 — Wed, 15 Apr 2015 12:09:22 GMT

I am talking about numbering the lines of multiline events You solution provides number of events and not the lines in each event, like this:

  a 1 b 2
1 c 2 d 4
  e 5 c 6

Re: How to number each line in a multiline event?

fdi01 — Wed, 15 Apr 2015 12:52:21 GMT

try like this :

| streamstats sum(linecount) as rank
or
| streamstats sum(linecount) as rank| table   rank|

Re: How to number each line in a multiline event?

landen99 — Wed, 15 Apr 2015 14:36:10 GMT

The linecount of the first event is 3, so I believe that would yield:

  a 1 b 2
3 c 2 d 4
  e 5 c 6

If the next event were exactly the same and had therefore had 3 lines, we should see:

  a 1 b 2
6 c 2 d 4
  e 5 c 6

I will test later to verify.

Re: How to number each line in a multiline event?

chimell — Wed, 15 Apr 2015 15:03:35 GMT

Hi landen99
Try the search code below
examine attentively After extracting the fields which are in your event

   .....|rex max_match=0 field=_raw "\s+(?P<field1>\S+)\s+(?P<field2>\d+)\s+(?P<field3>\S+)\s+(?P<field4>\d+)"| eval fields=mvzip(field1,mvzip(field2,mvzip(field3,field4)))|mvexpand fields|eval fil=split(fields,",")|eval fiel1=mvindex(fil,0)|eval fiel2=mvindex(fil,1)|eval fiel3=mvindex(fil,2)
        |eval fiel4=mvindex(fil,3)|streamstats count as number_line|eval fi1=mvzip(number_line,mvzip(fiel1,mvzip(fiel2,mvzip(fiel3,fiel4," ")," ")," ")," ")|stats list(fi1) as test2

Re: How to number each line in a multiline event?

landen99 — Wed, 15 Apr 2015 17:46:57 GMT

This search appears to do the following:
* extract each column as field1-4 (using rex)
* combine each field into line field called fields (using mvzip)
* separates the multivalue field of lines into separate events
* splits the line field by commas which do not exist in the value ...

It would be so much easier to just separate the event by lines into new events and then streamstats count to track event and line order separately

| streamstats count AS event_num | rex max_match=0 "(?P<line>[^\n]+)\n+" | mvexpand line | streamstats count AS line_num by event_num | eval line_new=line_num." - ".line | stats list(line_new) AS line_new by event_num

Re: How to number each line in a multiline event?

Gilberto_Castil — Wed, 15 Apr 2015 18:05:27 GMT

You should try the accum command in the search language. This will allow you to aggregate to a variable value in an ascending fashion. For instance, assume that your data has been indexed.

Because Splunk will index and show the data in reverse order Last In First Out (LIFO), you need to decide how the order it for presentation. Assume we want the data as it was originally written to the log file (not the way it was indexed); use reverse to align it accordingly.

Create a new variable called No and use accum to increase the variable value by one (1).

All together the search looks something like this:

sourcetype="answers-1429120234" | reverse | eval No=1 | accum No | table No _raw

Good luck and happy Splunking 🙂

--
gc

Re: How to number each line in a multiline event?

stephane_cyrill — Wed, 15 Apr 2015 23:32:05 GMT

Hi,
If there is a way you can have your event in the statistic tab, and if you are using splunk 6.2, you can go in format option and select LINE NUMBER to yes

Re: How to number each line in a multiline event?

landen99 — Thu, 16 Apr 2015 00:50:16 GMT

I love your answer. It introduced me to two new Splunk functions (reverse and accum) which provide a very simple solution. Your solution does begin with the assumption that the data has already been broken data with each row as an event before it is indexed. To apply your solution from my test data where the rows are grouped together into each event when indexed, I would simply alter your solution as follows:

| eventstats count AS event_num | rex max_match=0 "(?P<line>[^\n]+)\n+" | mvexpand line | eval line_num=1 | accum line_num | table event_num line_num line

In addition to your results, this simply adds numbering for each event that each line originally belonged to. It differs from my eventstats solution in that the numbering does not restart with each new event. I like my eventstats solution better though.

| eventstats count AS event_num | rex max_match=0 "(?P<line>[^\n]+)\n+" | mvexpand line | eventstats count AS line_num by event_num | eval line_new=line_num." - ".line | stats list(line_new) AS line_new by event_num