topic How do I extract multiple events from one event using SPL? in Splunk Search

How do I extract multiple events from one event using SPL?

danwilson — Tue, 24 Apr 2018 22:58:23 GMT

I have data that represents values on bidirectional connections for a graph structure.

For example, each event has fields like

NodeA: "nodea"
NodeB: "nodeb"
Forward_Metric: 5
Reverse_Metric: 3

Usually, I want the data in this format, but occasionally, I'd like to separate this line into 2 events like this

NodeA: "nodea"
NodeB: "nodeb"
Metric: 5

and

NodeA: "nodeb"
NodeB: "nodea"
Metric: 3

What I've done is create a string with the multiple events that I then split up into an mv and deal with that, like this:

...
| eval combined=NodeA.",".NodeB.",".Forward_Metric.";".NodeB.",".NodeA.",".Reverse_Metric
| fields _time, combined
| makemv delim=";" combined
| mvexpand combined
| rex field=combined "(?<NodeA>.*),(?<NodeB>.*),(?<Metric>.*)"
| fields - combined

Is there anything in splunk to eliminate any of these steps? Or just a better way to do it?

Thanks!

Re: How do I extract multiple events from one event using SPL?

DalJeanis — Tue, 24 Apr 2018 23:17:46 GMT

Try this -

 your search that creates these fields -
| table nodeA nodeB  Forward_Metric  Reverse_Metric

| rename COMMENT as "create an MV field with two values then duplicate the record"
| eval fan=mvrange(0,2)
| mvexpand fan

| rename COMMENT as "create the three needed values in new fields"
| eval nodeA1=if(fan=0,nodeA,nodeB)
| eval nodeB1=if(fan=0,nodeB,nodeA)
| eval Metric=if(fan=0,Forward_Metric,Reverse_Metric)

| rename COMMENT as "drop unneeded fields then rename to what you want"
| table nodeA1 nodeB1 Metric
| rename nodeA1 as nodeA, nodeB1 as nodeB

Re: How do I extract multiple events from one event using SPL?

danwilson — Wed, 25 Apr 2018 11:08:41 GMT

I like that idea. It's still not as clean as I was hoping, but it's better than what I was doing.