Hey Guys,
I have events that contains the same field, like so:
12/08/2015 1:03:03 PM Server="exchange" User="admin@domain.com" Identity="bigstring=" Cmdlet="Set-DistributionGroup" Param="-IgnoreNamingPolicy 'True'" Param="-Identity 'Distro Group'" Success="True" Error=""
So as you can see, my event has 2 param fields for the "set-distributionGroup' cmdlet.
I am wondering how to combine this field into one. Thanks!
If you logs have the format mentioned above (key-value pair), Splunk should've extracted a multivalued field Param already, which will contain both the Param values. Try running this and see if you can see both values under same field name.
your base search | table Param
Hi weznagwama,
I think you can use "makemv" command with "delim" by mentioning the seperator.
| makemv delim="-" Cmdlet | top Cmdlet
-Krishna Rajapantula
Hey mate, thanks for the reply, I've unfortuntaely got stuck on something else relating to powershell scripts running so can't test this yet....until I get the powershell script working. Will post back once I do.
if you are not getting two Params being field-extracted, you could use a rex and an eval
| rex field=_raw "Param=\"(?<p1>[^\"]*)\" Param=\"(?<p2>[^\"]*)\"" | eval param=p1.p2
Hey mate,
Thanks for the reply.
Let's assume an event has '4' seperate Params.
Is there a way to field extract to match all? Or would I just have to say regex 10 params, eval p1...p10, to catch up to 10 params?
The issue being that not all events have 2 params...some could have 1 or some could have 6. Thanks again.
If you don't know how many parameters you are going to have, you can have all the params extracted into a multi-value field called 'oneparam', and then use mvjoin to put them into a single parameter (called params). Each field will be separated by a space.
| rex max_match=0 field=_raw "Param=\"(?<oneparam>[^\"]*)\" | eval params=mvjoin(oneparam, " ")
Thanks for the reply, I've unfortunately gotten stuck on attempting to get a powershell script working (turns out it's quiet difficult.) Will post back once I get that going. Cheers.