topic Re: How to extract a field from multi valued event? in Splunk Search

How to extract a field from multi valued event?

jkirankumar1993 — Fri, 02 Mar 2018 18:12:11 GMT

Hi,

This is the sample event

GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...

When I use regular expression I am getting the value from the first line but not from the other lines. I want to capture the fields that start after INFO.getCustomFieldValues(): field.

Re: How to extract a field from multi valued event?

niketn — Fri, 02 Mar 2018 18:44:43 GMT

@jkirankumar1993, you would need to use max_match=0 to fetch multiple values for the multi-valued field extraction using rex command. Try the following run anywhere search based on sample data provided:

| makeresults
| eval _raw="GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was..."
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0

Re: How to extract a field from multi valued event?

jkirankumar1993 — Fri, 02 Mar 2018 19:07:01 GMT

I have series of events like this. I want to extract field called "custom_field" from all these multi valued events.

Example or sample output of extracted field:

AE Test Fail
AE Testing in Progress
Activating
.............
.............

Note: I dont have access to any config files. So, can you tell any regular expression to capture all those values?

Re: How to extract a field from multi valued event?

jkirankumar1993 — Fri, 02 Mar 2018 19:10:44 GMT

Your query worked great for this single event. But, I have series of events and i want to extract these values as a field so that I can make a report

Re: How to extract a field from multi valued event?

niketn — Sun, 04 Mar 2018 13:21:03 GMT

Try adding mvexpand to your query to expand the multiple values of that is what you want.

<yourBaseSearch>
| fields _raw
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0
| mvexpand myField 
| table myField

Re: How to extract a field from multi valued event?

jkirankumar1993 — Mon, 05 Mar 2018 15:53:14 GMT

Worked Great. Thanks a lot

Re: How to extract a field from multi valued event?

niketn — Mon, 05 Mar 2018 15:57:17 GMT

Glad you found it working. Please up vote the comments that helped 🙂