topic Re: how to get the first(_raw) when i have split my pattern which were separated by pipe "|" using eval and split command. in Splunk Search

how to get the first(_raw) when i have split my pattern which were separated by pipe "|" using eval and split command.

annamareddi — Fri, 26 Aug 2016 13:40:14 GMT

unique_exception= pattern1|pattern2|pattern3
all these three patterns(1,2,3) are tagged to unique number 111.
eval temp=split(unique_exception, "|")|stats values(temp) by temp
i am getting output as follows
111 - pattern1
111 - pattern2
111 - pattern3

now how to get the first event for these individual events (pattern1 and pattern2 and pattern3) separately.

Re: how to get the first(_raw) when i have split my pattern which were separated by pipe "|" using eval and split command.

inventsekar — Fri, 26 Aug 2016 13:51:22 GMT

Please check this

eval temp=split(unique_exception, "|")|stats first(_time) as _time values(temp) by temp

There is a good reference for Functions for stats in the docs. - http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonstatsfunctions

Re: how to get the first(_raw) when i have split my pattern which were separated by pipe "|" using eval and split command.

sundareshr — Fri, 26 Aug 2016 13:59:41 GMT

See if this helps

... | makemv unique_exception delim="|" | mvexpand unique_exception | stats first(_raw) as first_occurrence by unique_exception