How to make a table with multiple multivalue fields?

aadrian — Fri, 10 Aug 2012 10:25:21 GMT

I need to make a table with some information from events.

my event looks like:

[timestamp][some info]

[function_name_1][id_1][param_1][result_1]

[function_name_2][id_2][param_2][result_2]

[function_name_3][id_3][param_3][result_3]

...

[function_name_n][id_n][param_n][result_n]

Because my regexp only found the first occurance of the fields(function_name,id,param,result) so I used MV_ADD for all multivalue fields and now it finds all occurences.

My table should looks like:

problem is with multivalue fields, for the last 4 column in one record I've got couple values and my table looks like:

I read about mvexpand command but it doesn't work good with multiple multivalue fields.
after mvcommand for all multivalue fields I've got:

My last query looks like:

"table _time some_info function_name id param result | mvexpand function_name| mvexpand id|mvexpand param |mvexpand result"

Could any one help me with this situation.

Thanks,

Adrian.

Re: How to make a table with multiple multivalue fields?

adityapavan18 — Thu, 20 Sep 2012 13:58:27 GMT

Hi aadrian,

I am facing a similiar situation, have you got a solution to this?? even i am struggling to do the same.

Thnx

Re: How to make a table with multiple multivalue fields?

disha — Mon, 21 Jan 2013 22:08:35 GMT

Did You find any solution..Looks like nobody answering multiple multivalued field.I am stucked with the same.

Re: How to make a table with multiple multivalue fields?

sbsbb — Tue, 22 Jan 2013 07:09:25 GMT

I would try to use spath, output the result in a field, and do an mvexpand on that...

Re: How to make a table with multiple multivalue fields?

disha — Mon, 28 Sep 2020 13:09:22 GMT

I have tried that. mvexpand is giving each field as one line as
P_NAME P_value

p1 m1
p2 m2
p3 m3
But I cannot figure out how to do one to one mapping of P_NAME and P_ID as I need to draw a chart like
chart first(P_value) over _time by P_NAME
Please help.
Thanks

Re: How to make a table with multiple multivalue fields?

sbsbb — Mon, 28 Sep 2020 13:09:25 GMT

I'm not sure to understand your problem, I've done something similar with xml.
In your case, maybe you should extract all information as one field (lets say eField) " |function_name_1|id_1 |param_1|result_1", then mvexpand, and only after that, extract fields out of this eField

topic Re: How to make a table with multiple multivalue fields? in Splunk Search

How to make a table with multiple multivalue fields?

Re: How to make a table with multiple multivalue fields?

Re: How to make a table with multiple multivalue fields?

Re: How to make a table with multiple multivalue fields?

Re: How to make a table with multiple multivalue fields?

Re: How to make a table with multiple multivalue fields?