topic Re: Put extracted REX values in single row in table while using transaction in Splunk Search

How to put extracted REX values in single row in table while using transaction?

mrunalaghara — Tue, 01 Mar 2022 17:33:00 GMT

I am performing theSplunk query on following result, The following field repeats 100 times with different values

randomstring=randomstring&firstRex=firstRexValue&anotherradomstring=antotherrandomstring&secondRex=secondrexvalue&somotherstuff=someotherstuffvalue&yetanotherstuff=yetanotherstuffvalue&thirdRex=thirdrexvalue

the Splunk query is as below.

Now when I do table, the value2 and value3 doesn't seems connected. I mean the column value2 has 5 rows while column value3 has 7 rows for example.

Further, I would also like to add date for each event in the table, how can I do it?

and I would need your suggestion to perform regex in single rex query instead of three 🙂

Re: Put extracted REX values in single row in table while using transaction

somesoni2 — Tue, 01 Mar 2022 14:02:08 GMT

See if this helps:

Re: Put extracted REX values in single row in table while using transaction

ITWhisperer — Tue, 01 Mar 2022 14:06:05 GMT

Are the values always present?

source="source" searchquery | rex "firstRex=(?<value1>[^&]+).+secondRex=(?<value2>[^&]+).+thirdRex=(?<value3>[^&]+)" | stats list(value2) as value2 list(value3) as value3 by value1

Re: Put extracted REX values in single row in table while using transaction

mrunalaghara — Tue, 01 Mar 2022 15:00:42 GMT

Thanks for your reply, but doesn't make any change 😞

Re: Put extracted REX values in single row in table while using transaction

mrunalaghara — Tue, 01 Mar 2022 15:02:53 GMT

Thank you for your reply. but nomv value3 is combining the values... they are very hard to distinguish as it presents like a paragraph.

Re: Put extracted REX values in single row in table while using transaction

ITWhisperer — Tue, 01 Mar 2022 15:11:17 GMT

Well, you haven't really answered the question - are these values present (in every event)?

Another question: what would your expected results look like?

Re: Put extracted REX values in single row in table while using transaction

mrunalaghara — Tue, 01 Mar 2022 15:26:04 GMT

Yes, these values present in all the events. I expect the answer to look like below table. The values of each transaction based on value3 should be combined. Each transaction may have 1 to 15 events. But they all have unique Value3

-----------------------------

firstRexValue1FirstTransaction

firstRexValue2FirstTransaction

firstRexValue3FirstTransaction

firstRexValue4FirstTransaction

firstRexValue5FirstTransaction

secondRexValue1FirstTransaction

secondRexValue2FirstTransaction

secondRexValue3FirstTransaction

secondRexValue4FirstTransaction

secondRexValue5FirstTransaction

firstRexValue1SecondTransaction

firstRexValue2SecondTransaction

firstRexValue3SecondTransaction

secondRexValue1SecondTransaction

secondRexValue2SecondTransaction

secondRexValue3SecondTransaction

firstRexValue1ThirdTransaction

firstRexValue2ThirdTransaction

firstRexValue3ThirdTransaction

firstRexValue4ThirdTransaction

secondRexValue1ThirdTransaction

secondRexValue2 secondRexValue3

secondRexValue3 secondRexValue3

Re: Put extracted REX values in single row in table while using transaction

ITWhisperer — Tue, 01 Mar 2022 15:32:00 GMT

So, value3 is the (common/linking) transaction id?

source="source" searchquery | rex "firstRex=(?<value1>[^&]+).+secondRex=(?<value2>[^&]+).+thirdRex=(?<value3>[^&]+)" | stats list(value1) as value1 list(value2) as value2 by value3

Re: Put extracted REX values in single row in table while using transaction

mrunalaghara — Tue, 01 Mar 2022 15:33:15 GMT

Yes Value3 is common transaction id