topic question involving breaking out multiple multivalue fields into events in Splunk Search

question involving breaking out multiple multivalue fields into events

kmaron — Mon, 05 Mar 2018 18:31:29 GMT

I'm having issues trying to break out individual events that are combined into multi-value fields

When I do a table on my fields I get this: one time entry then multiple values for name, entity, type and serverity.

_time           name                    entity           type                          severity
3/2/2018 11:28  High Load              CaseService      BUSINESS_TRANSACTION           CRITICAL
                Exceptions per Minute   Mainframe       APPLICATION_COMPONENT         CRITICAL
                High Response Time    /app/Quoting      BUSINESS_TRANSACTION           CRITICAL
                High Load              /app/Quoting     BUSINESS_TRANSACTION           WARNING
                High Response Time    RetrieveWorkItem  BUSINESS_TRANSACTION        CRITICAL
                High Load              Online             BUSINESS_TRANSACTION          WARNING
                Server Time          thing.do           APPLICATION_DIAGNOSTIC_DATA WARNING

What I want is each line/group of name, entity, type and severity to be an event with the same _time. Is this possible?

Re: question involving breaking out multiple multivalue fields into events

richgalloway — Mon, 05 Mar 2018 19:32:35 GMT

Can you share the search that got you these results?
Have you tried mvexpand?

Re: question involving breaking out multiple multivalue fields into events

kmaron — Tue, 29 Sep 2020 18:14:34 GMT

I can only seem to mvexpand one field. so if I mvexpand Name I can get one event for each Name but then the full list of entity, type and severity all exist for every name.

here's my search:
index=appd source=healthrule_violations application_name="PROD"
| spath healthrule_violations{}.name
| rename healthrule_violations{}.name AS name
| spath healthrule_violations{}.affectedEntityDefinition.name
| rename healthrule_violations{}.affectedEntityDefinition.name AS entity
| spath healthrule_violations{}.affectedEntityDefinition.entityType
| rename healthrule_violations{}.affectedEntityDefinition.entityType as type
| spath healthrule_violations{}.severity
| rename healthrule_violations{}.severity as severity
| table _time description name entity type severity

Re: question involving breaking out multiple multivalue fields into events

DalJeanis — Wed, 07 Mar 2018 22:21:54 GMT

Try this...

| eval zipped= mvzip(mvzip(mvzip(name,entity,"!!!!!entity="),type,"!!!!!type="),severity,"!!!!!severity=")
| mvexpand zipped
| fields _time zipped
| mvexpand zipped
| rex field=zipped "^(?<name>.*)!!!!!entity=(?<entity>.*)!!!!!type=(?<type>.*)!!!!!severity=(?<severity>.*)$"

The "!!!!!" delimiter is my own favorite, since it almost never appears in real data. Using commas or semicolons or dashes might accidentally split a field.

Re: question involving breaking out multiple multivalue fields into events

kmaron — Thu, 08 Mar 2018 13:37:28 GMT

That worked beautifully! You just made y day! Thank you!!!!!