topic Re: How to expand multivalue fields after using streamstats command? in Splunk Search

How to expand multivalue fields after using streamstats command?

like2splunk — Tue, 29 Sep 2020 13:38:04 GMT

Hello, I am trying to figure out how to expand multivalue fields after using the streamstats command.
I have an event called "Set Range" that happens frequently and sometimes there is an error after this event happens.
Occasionally there are multiple errors following a "Set Range" event.
There is useful information that I want to extract from the "Set Range" event and correlate to the respective error(s).
My search is below in ITALICS:

index="logs" process=beamCommonProcess
"Transitioned to Error State" OR "SET_RANGE activity requested for beam supply point" OR "DISABLE_BEAM activity is complete" OR "ENABLE_BEAM activity requested" OR "beam allocated to" OR "beam deallocated from"
| reverse
| streamstats count(eval(searchmatch("SET_RANGE activity requested for beam supply point"))) AS SessionID
| stats min(_time) AS _time count(eval(searchmatch("Transitioned to Error State"))) AS error_count count(eval(searchmatch("Beam allocated to"))) AS endbeam_count list(_raw) AS _raw BY SessionID
| search error_count>0
| rex "RCU Error: .?Submap: \d+\s*((?.?):"
| eval output = if(output="Device","Device Overrange",output)
| table _time SessionID rcu_msg

An example of the subsequent results is in the screenshot below (also attached):

As you can see, in some cases there are multiple "rcu_msg" events for the same SessionID.
What I want is to expand such message groups into individual line items.
In other words, instead of 6 lines with some groups as shown in the screenshot, I want 9 individual lines each correlated to their respective SessionID. Thereafter I'm going to REX the useful information, but I can't do so until the multivalue fields are expanded.
I tried mvexpand _raw but this did not do anything.

PLEASE HELP!

Re: How to expand multivalue fields after using streamstats command?

gfuente — Tue, 11 Apr 2017 09:24:38 GMT

Hello

You need to use the mvexpand command, but using the rcu_msg field, example:

... | mvexpand rcu_msg | ...

Regards

Re: How to expand multivalue fields after using streamstats command?

niketn — Tue, 11 Apr 2017 09:30:57 GMT

@like2splunk... if you perform field extraction for rcu_msg ideally through Field Extraction Knowledge Object or in your example using rex command, you ca use the same in stats directly

 <Your Base Search>
|<Your rex command for rcu_msg>
| stats min(_time) AS _time count(eval(searchmatch("Transitioned to Error State"))) AS error_count count(eval(searchmatch("Beam allocated to"))) AS endbeam_count list(_raw) AS _raw BY SessionID, rcu_msg
| table _time SessionID rcu_msg

Re: How to expand multivalue fields after using streamstats command?

cmerriman — Tue, 11 Apr 2017 12:06:19 GMT

you'd want to use |fillnull rcu_msg value="N/A" first, though, I believe for that blank row.