topic Re: How to split up multiple values within a field (mvexpand) in Splunk Search

How to split up multiple values within a field (mvexpand)

mklhs — Mon, 26 Aug 2019 11:19:42 GMT

Hi,

The output of both systems is written to the same index and differ by the component contained in the event.

e.g:
user=x component=old target=foobar
OR
user=x component=new target=foobar
|stats dc(component) as condition, list(msglog) as msglog, list(component) as component

| where condition>1

I have a data that looks like this:

A field is grouped into multiple fields (example "msglog", "Date", "component" . However, I want to extract them all separately in one field and list them in a table by targetID. The result should look like this:

|target |condition |msglog |component
|footbar | 2 |Registration successful |old
|footbar | 2 |Registration successful |new
|footbar | 2 |invalid login |new

There is an additional field with msglog=invalid login with component=old, which is not correct.

|target |condition |msglog |component
|footbar | 2 |Registration successful |old
|footbar | 2 |Registration successful |new
|footbar | 2 |invalid login |new
|footbar | 2 |invalid login |old

Thanks for your Help and your Time

Re: How to split up multiple values within a field (mvexpand)

diogofgm — Mon, 26 Aug 2019 12:35:57 GMT

mvexpand will expand that particular field and copy the others that's why when you expand "msglog" both "Registration successful" and "invalid login" will have then a mv field "component" with both "new" and "old" values for each "msglog" value

does each event has every field? target, condition, msglog, component
because from what I see there is no way (with your search) you could have those results

user=x component=old target=foobar
OR
user=x component=new target=foobar
|stats dc(component) as condition, list(msglog) as msglog, list(component) as component

target won't be an available field in the results here. Only condition, msglog, component.
Can you post some raw data?

Re: How to split up multiple values within a field (mvexpand)

mklhs — Mon, 26 Aug 2019 13:27:47 GMT

Hello @diogofgm
Here are the raw data:

{"timestamp":"2019-07-12T20:48:08.371+02:00",
"user":"x",
"component":"new",
"target":"footbar",
"msglog":"invalid login"
}
..........
{"timestamp":"2019-07-12T20:48:08.25+02:00",
"user":"x",
"component":"old",
"target":"footbar",
"msglog":"Registration successful"
}
...........

{"timestamp":"2019-07-12T20:48:08.184+02:00",
"user":"x",
"component":"new",
"target":"footbar",
"msglog":"Registration successful"
}

As I said, 1 field has several values in one row (
i.e. the value has "msglog"
"Registration successful"
"Registration successful"
"invalid login"). I would like to have these values in a table in a separate line extracted so that the results are correct. Otherwise, I can not limit my results, for example, only to "Registration successful"

Re: How to split up multiple values within a field (mvexpand)

diogofgm — Mon, 26 Aug 2019 15:16:27 GMT

is this 1 event or 3?
if its 1 event you should be breaking your event
if its 3 events use |eventstats dc(component) AS condition | table target condition msglog component

Re: How to split up multiple values within a field (mvexpand)

woodcock — Mon, 26 Aug 2019 15:28:28 GMT

Just do this:

index=<You should always specify index> AND sourcetype=<And sourcetype too>
| table target condition msglog component
| filldown target
| filldown condition