https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-dynamic-values-from-a-single-log-line/m-p/393496#M114440 <P>Awesome that worked. I had played with the mv functions before but couldn't get it to work. Much appreciated</P> Thu, 11 Apr 2019 03:06:55 GMT littlgra 2019-04-11T03:06:55Z https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-dynamic-values-from-a-single-log-line/m-p/393494#M114438 <P>We have numerous log lines that are in a format similar to the following:-</P> <PRE><CODE>2019-04-09 13:00:03 DEBUG DynamicName1 1000 (1.00) ; DynamicName2 2000 (2.00) ; 2019-04-09 13:00:02 DEBUG DynamicName2 500 (0.50) ; DynamicName4 3100 (3.10) ; DynamicName5 12000 (12.00) ; 2019-04-09 13:00:00 DEBUG DynamicName1 600 (0.60) ; DynamicName5 2100 (2.10) ; </CODE></PRE> <P>The DynamicName# is a dynamic string that can have multiple values per line (but never the same value per line), the numbers after it represent a timing in milliseconds and then seconds.</P> <P>What I want to get is a table of all the unique DynamicName(s), their average execution times and counts</P> <P>However, I can't quite get the extraction correct. When I use a rex, for example</P> <PRE><CODE>rex field=_raw "(?&lt;name&gt;\w+) (?&lt;time&gt;\d+) \(\d+.\d+\)" | table name time </CODE></PRE> <P>However this creates a table of multiple values per row and then I can't use other commands on it correctly. For example:-</P> <PRE><CODE>rex field=_raw "(?&lt;name&gt;\w+) (?&lt;time&gt;\d+) \(\d+.\d+\) ; " | table name time | sort -time </CODE></PRE> <P>Does not result in the correct result I am expecting.</P> <P>Is there a way I can correctly extract the data to get true dynamic multiple values that I can then table with 1 DynamicName per table row</P> Tue, 09 Apr 2019 06:10:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-dynamic-values-from-a-single-log-line/m-p/393494#M114438 littlgra 2019-04-09T06:10:46Z https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-dynamic-values-from-a-single-log-line/m-p/393495#M114439 <P>Try splitting it up into a mv field after stripping out the first characters that aren't needed: </P> <PRE><CODE>| eval foo=replace(_raw, "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} DEBUG", "") | makemv delim=";" foo | mvexpand foo | rex field=foo "(?&lt;name&gt;\w+) (?&lt;time&gt;\d+) \(\d+.\d+\)" | table name time | sort -time </CODE></PRE> <P>Then you can use mvexpand to split it up into multiple events and your regex can work on that.</P> Wed, 10 Apr 2019 14:56:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-dynamic-values-from-a-single-log-line/m-p/393495#M114439 grittonc 2019-04-10T14:56:54Z https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-dynamic-values-from-a-single-log-line/m-p/393496#M114440 <P>Awesome that worked. I had played with the mv functions before but couldn't get it to work. Much appreciated</P> Thu, 11 Apr 2019 03:06:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-dynamic-values-from-a-single-log-line/m-p/393496#M114440 littlgra 2019-04-11T03:06:55Z