topic Re: How Can I Separate Events Using Search Query? in Splunk Search

How Can I Separate Events Using Search Query?

dantimola — Fri, 02 Feb 2018 07:08:51 GMT

Hi All,

Good Day, I've indexed an event from scripted input but the events are not breaking every line, example logs are in below. How can I expand the event to every line using Splunk Search Query? Thanks.

Sample event:

   02/02/2018        user, hostname
   12:00:00.000      user1, hostname1
                     user2, hostname2

Expected Output

02/02/2018     user, hostname
12:00:00.000

02/02/2018     user1, hostname1
12:00:00.000

02/02/2018     user2, hostname2
12:00:00.000

Re: How Can I Separate Events Using Search Query?

niketn — Fri, 02 Feb 2018 07:15:07 GMT

@dantimola can you add some sample raw event? Is Time field available for each line you want to break on? Is the following setting enabled for your scripted input sourcetype?

SHOULD_LINEMERGE = false

Re: How Can I Separate Events Using Search Query?

dantimola — Fri, 02 Feb 2018 07:27:47 GMT

SHOULD_LINEMERGE on props.conf already enabled. Sample raw event is in the "Sample Event:" found in the question.

Re: How Can I Separate Events Using Search Query?

mayurr98 — Fri, 02 Feb 2018 07:31:20 GMT

try this :

<your_base_search>| eval data=mvzip(user,hostname)
| makemv delim=","
| mvexpand data

let me know if this helps!

Re: How Can I Separate Events Using Search Query?

dantimola — Fri, 02 Feb 2018 07:39:59 GMT

This is the closest one I've got, however, it didn't split the event just like the output I wanted but it let me create a new field I need using rex.

<my search here>
| rex mode=sed "s/([\r\n]+)/||/g" 
| makemv _raw delim="||" 
| mvexpand _raw 
| rex (?<user>\w+) 
| rex "||"(?<user>\w+)
| rex ", "(?<hostname>\w+)

Re: How Can I Separate Events Using Search Query?

dantimola — Fri, 02 Feb 2018 07:42:54 GMT

Thank you for your answer, I got the idea but it didn't give me the output I wanted.

Re: How Can I Separate Events Using Search Query?

mayurr98 — Fri, 02 Feb 2018 07:49:38 GMT

can you provide some sample events ?

Re: How Can I Separate Events Using Search Query?

dantimola — Fri, 02 Feb 2018 07:56:10 GMT

Here's the sample event:

username, PC-1
admin, PC-2
sample, SERVER_1
admin1, SERVER_1

The output I want is this

timestamp  username, PC-1
another timestamp admin, PC-2
.......

Re: How Can I Separate Events Using Search Query?

mayurr98 — Fri, 02 Feb 2018 08:03:30 GMT

Try this run anywhere search

| makeresults 
| eval _time="02/02/2018 12:00:00.000",USER="username admin sample admin1",HOSTNAME="PC-1 PC-2 SERVER_1 SERVER_1" 
| makemv USER 
| makemv HOSTNAME 
| eval data=mvzip(HOSTNAME,USER) 
| mvexpand data 
| table _time data 
| rex field=data "(?<hostname>[^\,]+)\,(?<user>.*)" 
| fields- data