topic Re: Possible to show all values from same field name with different values from one Event in Splunk Search

Possible to show all values from same field name with different values from one Event?

FGAnders — Wed, 10 Aug 2022 14:16:53 GMT

Hi,

I'm trying to make my query show all the different values from one field (Product) that it is showing in the Event. I have data from Event that has Product=ABC, Product=????? and Product=??. The Products will have random / different values.

When I run the query it will only show me the Product=ABC not any of the others with different values but same field.

index=X Name=* currency=* channel=* country=* state=* Product=* | stats list(Name) as Name, list(currency) as currency, list(amount) as amount, list(channel) as device, list(country) as From, list(state) as Status, list(Product) as Products |

I would like to have it show all the Products from the one event. So in case there are 3 Products

Products
ABC
?????
??

---

In case I have another event with four fields with Products it has to show all 4.

Products
ABC
?????
??
4th Product

Is this possible ?

Thank you,

Re: Possible to show all values from same field name with different values from one Event

ITWhisperer — Wed, 10 Aug 2022 09:02:37 GMT

This part of your search produces a pipeline of events from your index

index=X Name=* currency=* channel=* country=* state=* Product=*

This part aggregates all the events in the pipeline into a single event

| stats list(Name) as Name, list(currency) as currency, list(amount) as amount, list(channel) as device, list(country) as From, list(state) as Status, list(Product) as Products

If you want to table each event separately (so you can see the multi-value Products for example), replace the stats with a table command

| table Name, currency, amount, channel, country, state, Product

If this is not what you are after, please can you provided some sample events (preferably in a code block </>) and an example of the desired output

Re: Possible to show all values from same field name with different values from one Event

FGAnders — Wed, 10 Aug 2022 09:47:26 GMT

Hi,

Thank you for fast reply

I tried to only run as shorter query like:

index=X Name=JohnA | table Name Product

I still only see the first Product of the event from the index.

Name Product JohnA ABC

If I go to the event in the index I can see that Product=ABC, Product=?? and Product=GOLD is shown in the event data. But it seems to only show me one of them.

Some of the data from event.

Name='JohnA',selection=2,Product='ABC',description=<null>,country='MT',selection=1,Product='??',description=<null>,country='MT',selection=2,Product='GOLD',description=<null>,country='MT',

I would like it to show all the Products like this

Name Product JohnA ABC,??,GOLD

Or like this

Name Product JohnA ABC ?? GOLD

Everything else its getting shown correctly except when there is same field with different values in one single event.

Thank you,

Re: Possible to show all values from same field name with different values from one Event

ITWhisperer — Wed, 10 Aug 2022 09:50:54 GMT

You could use rex to extract the multiple instances of the field(s), Product for example

| rex max_match=0 "Product=(?<Product>[^,]+)"

However, you probably want to look at your transforms.conf and props.conf for the source type to handle multi-value fields

Re: Possible to show all values from same field name with different values from one Event

FGAnders — Wed, 10 Aug 2022 09:55:22 GMT

Thank you very much, this works.