topic Re: How do I table 3 distinct values within the same event if all values share the same field name? in Splunk Search

How do I table 3 distinct values within the same event if all values share the same field name?

monteirolopes — Wed, 13 Apr 2016 19:41:08 GMT

Hi,

In my log, I have the same name field for three distinct values in the same event. For example:

...
Security ID:Joseph Security ID:Admin Security ID:Lopes
..

When I use the search:

... | table Security_ID

Splunk shows me:
(2 events)

Security ID

Joseph
Admin
Lopes

...

John
Felippe
Brian

How cCan I distinguish this information on three distinct fields in a search? I tried to create field extractions, but the log has a lot of data and my sample does not appear by entire.

Security ID

Joseph (field 1)
Admin (field 2)
Lopes (field 3)
...

John (field 1)
Felippe (field 2)
Brian (field 3)

Best regards,
Lopes.

Re: How do I table 3 distinct values within the same event if all values share the same field name?

sundareshr — Wed, 13 Apr 2016 20:21:40 GMT

Here is a runanywhere example of how you can do this

| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | nomv id | table id

If you wan them as separate fields you could do this

| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | eval f1=mvindex(id, 0) | eval f2=mvindex(id, 1) | eval f3=mvindex(id, 2) | table f1 f2 f3

Re: How do I table 3 distinct values within the same event if all values share the same field name?

monteirolopes — Thu, 14 Apr 2016 12:43:32 GMT

Is there a generic way to do without writing the values of the lines? I have a lot of event values in the same search.

Re: How do I table 3 distinct values within the same event if all values share the same field name?

sundareshr — Thu, 14 Apr 2016 15:49:17 GMT

Not sure I understand. This is is runanywhere example. When you use it, you will ignore everthing before the rex command. The rex is a generic regular expression that will extract as long as the field name ends with "ID:" and the values are single word values. If there could be more than 3 fields, you can change the max_match to whatever number you think you need. Setting max_match to 0 will yield unlimited matches in a single event.

As far as the mvindex function is concerned, not sure there is a generic way to do that.

Re: How do I table 3 distinct values within the same event if all values share the same field name?

monteirolopes — Thu, 14 Apr 2016 17:02:27 GMT

Worked perfectly!

Thank you very much!

Re: How do I table 3 distinct values within the same event if all values share the same field name?

ppablo — Mon, 18 Apr 2016 23:45:01 GMT

Hi @monteirolopes

Glad you were able to find a solution on Answers from @sundareshr 🙂 Please don't forget to resolve the post by clicking "Accept" directly below his answer. This will make it easier to find for other users with a similar issue. Thanks!