https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501409#M139604 <P>What is <CODE>&lt;search criteria&gt;</CODE>?</P> Fri, 27 Mar 2020 13:00:35 GMT richgalloway 2020-03-27T13:00:35Z https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501408#M139603 <P>Hello All,</P> <P>I have a data like this</P> <P><CODE>X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]</CODE></P> <P>Now when I am using the query <CODE>&lt;search criteria&gt; | table status, reason</CODE> it is giving values "X" and "Y"<BR /> 1. Trying to understand why it is not considering the values Z &amp; Y and xyz &amp; abc<BR /> 2. If I have to get the result of values Z &amp; Y and xyz &amp; abc how to retrieve?</P> Fri, 27 Mar 2020 03:10:00 GMT https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501408#M139603 praddasg 2020-03-27T03:10:00Z https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501409#M139604 <P>What is <CODE>&lt;search criteria&gt;</CODE>?</P> Fri, 27 Mar 2020 13:00:35 GMT https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501409#M139604 richgalloway 2020-03-27T13:00:35Z https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501410#M139605 <P>Hi @richgalloway the raw data is like <CODE>service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]</CODE></P> <P>and my <CODE>&lt;search criteria&gt;</CODE> is <CODE>service</CODE></P> Sat, 28 Mar 2020 14:22:55 GMT https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501410#M139605 praddasg 2020-03-28T14:22:55Z https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501411#M139606 <P>sample query:</P> <PRE><CODE>| makeresults | eval _raw="service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]" | rex max_match=0 "status=(?&lt;status&gt;\w+), reason=(?&lt;reason&gt;\w+)" | table status reason | eval _counter = mvrange(0,mvcount(status)) | stats list(*) as * by _counter | foreach * [ eval &lt;&lt;FIELD&gt;&gt; = mvindex('&lt;&lt;FIELD&gt;&gt;', _counter)] | fields - _* </CODE></PRE> <P>recommend:</P> <PRE><CODE>&lt;search criteria&gt; | rex max_match=0 "status=(?&lt;status&gt;\w+), reason=(?&lt;reason&gt;\w+)" | fields status reason | eval _counter = mvrange(0,mvcount(status)) | stats list(*) as * by _counter | foreach * [ eval &lt;&lt;FIELD&gt;&gt; = mvindex('&lt;&lt;FIELD&gt;&gt;', _counter)] | fields - _* | table status, reason </CODE></PRE> Sat, 28 Mar 2020 23:09:05 GMT https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501411#M139606 to4kawa 2020-03-28T23:09:05Z https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501412#M139607 <P>Hello @to4kawa <BR /> It is still giving me values "X" and "Y"</P> Sat, 28 Mar 2020 23:16:51 GMT https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501412#M139607 praddasg 2020-03-28T23:16:51Z https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501413#M139608 <P>use <CODE>where</CODE> OR <CODE>search</CODE></P> Sat, 28 Mar 2020 23:56:05 GMT https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501413#M139608 to4kawa 2020-03-28T23:56:05Z https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501414#M139609 <P>I am only using <CODE>where</CODE> but still the same</P> Sun, 29 Mar 2020 00:50:52 GMT https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501414#M139609 praddasg 2020-03-29T00:50:52Z https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501415#M139610 <P>I see, your query is wrong</P> Sun, 29 Mar 2020 02:43:01 GMT https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501415#M139610 to4kawa 2020-03-29T02:43:01Z https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501416#M139611 <P>Hi @to4kawa <BR /> can you please explain a bit more when you say the query is wrong? What I meant above is in the complete query I am not using <CODE>search</CODE> instead using <CODE>where</CODE></P> <P><CODE>service<BR /> | where not reason like "%P%"<BR /> |table status, reason</CODE></P> Tue, 31 Mar 2020 01:34:12 GMT https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501416#M139611 praddasg 2020-03-31T01:34:12Z https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501417#M139612 <PRE><CODE>| where not reason like "%P%" </CODE></PRE> <P>This can't work.<BR /> where <CODE>"%P%"</CODE> come from?<BR /> Don't you select <CODE>NOT (status="X" AND reason="Y")</CODE>?</P> Tue, 31 Mar 2020 21:27:16 GMT https://community.splunk.com/t5/Splunk-Search/Raw-data-only-parsing-the-first-instance/m-p/501417#M139612 to4kawa 2020-03-31T21:27:16Z