https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703434#M238422 <P>You could try something like this</P><LI-CODE lang="markup">| eval _raw=body | multikv forceheader=1</LI-CODE><P>Although you may need to rename the fields afterwards</P> Sun, 03 Nov 2024 13:14:55 GMT ITWhisperer 2024-11-03T13:14:55Z https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703347#M238405 <P>Please help me to extract multiple values from one single value.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rukshar_0-1730491613716.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/33326iCEB1EB30F4BBBD12/image-size/medium?v=v2&amp;px=400" role="button" title="rukshar_0-1730491613716.png" alt="rukshar_0-1730491613716.png" /></span></P><P>&nbsp;</P> Fri, 01 Nov 2024 20:13:46 GMT https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703347#M238405 rukshar 2024-11-01T20:13:46Z https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703349#M238406 <P>What do you mean by "split"? This is obviously not an event but a result of a search. So adjust your search to not merge all results into multivalued fields (which by the way give you no guarantee that "the same" row from each of those fields correspond to the same event in the original data or whatever data you're summarizing it from).</P> Fri, 01 Nov 2024 21:25:38 GMT https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703349#M238406 PickleRick 2024-11-01T21:25:38Z https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703367#M238407 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;,<BR /><BR />Yes, this is the search on the basis of email logs which is giving me one result and i need that search to be multivalued not single valued as you can see in my snippet its giving statistics 1 rather than 3131 which is actually there in the data.<BR /><BR />LOGS:<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rukshar_0-1730517118707.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/33327iE88223B0EBD0D0F2/image-size/medium?v=v2&amp;px=400" role="button" title="rukshar_0-1730517118707.png" alt="rukshar_0-1730517118707.png" /></span></P><P><BR /><BR />I need this 3131 to be spiltted into mutiple rows with my other following fields as shown in the previous screenshot. when i am doing mvexpand Computer_name its coming 3131 but as soon as i am applying other fields its not showing the data.<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rukshar_1-1730517345530.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/33328i4E2FA24FB7CA407D/image-size/medium?v=v2&amp;px=400" role="button" title="rukshar_1-1730517345530.png" alt="rukshar_1-1730517345530.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Sat, 02 Nov 2024 03:24:18 GMT https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703367#M238407 rukshar 2024-11-02T03:24:18Z https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703374#M238408 <P>Ouch.</P><P>This is a very ugly data.</P><P>It's not only unnecessarily complicated and needs a lot of "untangling" to get it parsed properly (so that you cannot write reasonable extractions) it also contains a huge blob of stuff that is effectively separate data points. So if you want to search for just one pf those hosts, you still have to make Splunk dig through whole load of completely irrelevant data.</P><P>Additionally, you <EM>are</EM> doing something to your data because the <EM>body</EM> field if simply extracted from the json would have just have a long string, not separate fields.</P><P>So maybe just post your search as it is. My glass orb is being fixed as we speak.</P> Sat, 02 Nov 2024 10:16:03 GMT https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703374#M238408 PickleRick 2024-11-02T10:16:03Z https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703385#M238409 Please just post your current query inside code block "&lt;/&gt;" button when you write your post.<BR />Then mockup what and how you want too see the result. One picture is usually better than thousand words. Sat, 02 Nov 2024 13:24:38 GMT https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703385#M238409 isoutamo 2024-11-02T13:24:38Z https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703387#M238410 <P>This is the query i am using in my search.&nbsp;<SPAN>I need my output into mutiple rows.(snippet provided)</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="markup">index=mail "*tanium*" |spath body |rex field=body max_match=0 "\"(?&lt;Computer_name&gt;.*)\",\"ACN" |rex field=body max_match=0 "\"(?&lt;Computer_name1&gt;.*)\",\"\[n" |rex field=Computer_name1 max_match=0 "(?&lt;Computer_name2&gt;.*)\",\"\[n" |rex field=body max_match=0 "\,(?&lt;Patch_List_Name1&gt;.*)\"\[" |rex field=Patch_List_Name1 max_match=0 "\"(?&lt;Patch_List_Name&gt;.*)\",\"" |rex field=Patch_List_Name1 max_match=0 "\",\""(?&lt;Compliance_status&gt;.*)\" |eval Computer_name=mvappend(Computer_name,Computer_name2) |table Computer_name Compliance_status Patch_List_Name</LI-CODE> <P><BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rukshar_1-1730555096393.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/33332iA8F12D85EC50125A/image-size/medium?v=v2&amp;px=400" role="button" title="rukshar_1-1730555096393.png" alt="rukshar_1-1730555096393.png" /></span></P> Sat, 02 Nov 2024 14:08:38 GMT https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703387#M238410 rukshar 2024-11-02T14:08:38Z https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703409#M238411 <P>Ok. So you are simply extracting the fields using some predefined "anchor points". You are in for a treat if ever your "constant" parts of your event change.</P><P>It would be best if you could - as I said at the beginning - do something with the data as it goes into your system. Without it any searching across your data will be hugely inefficient.</P><P>In current situation it would probably be best to extract whole rows, then do mvexpand and then extract single fields from each line. You could do it by "counting" quotes but there's one caveat. It's trivial if you assume your field's contents cannot contain escaped quotes. It's getting a bit tricky if you can have escaped quotes. It's getting annoyingly complicated if you can have escaped quotes and escaped backslashes in your field values,</P> Sat, 02 Nov 2024 18:57:50 GMT https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703409#M238411 PickleRick 2024-11-02T18:57:50Z https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703434#M238422 <P>You could try something like this</P><LI-CODE lang="markup">| eval _raw=body | multikv forceheader=1</LI-CODE><P>Although you may need to rename the fields afterwards</P> Sun, 03 Nov 2024 13:14:55 GMT https://community.splunk.com/t5/Splunk-Search/trying-to-split-one-event-into-multiple-events/m-p/703434#M238422 ITWhisperer 2024-11-03T13:14:55Z