Re: Receiving an error while using the mvexpand co...

super_saiyan · ‎11-21-2022

Hi everyone,

currently, i am trying to expand one of the multiple field values but i am getting the result with the below error.
Field 'deployment' does not exist in the data.

index=json
|rex mode=sed "s/.*-\s//g"
|spath
|rename ops{}.steps{}.steps{}.address{}.deployment as deployment
|mvexpand deployment
|mvexpand operation
|table deployment

ITWhisperer · ‎11-25-2022

Put the field name in double quotes (usually it is single quotes for field names but rename seems to operate differently)

|rename "ops{}.steps{}.steps{}.address{}.deployment" as deployment

super_saiyan · ‎11-25-2022

anyone ?

ITWhisperer · ‎11-25-2022

If you don't have the deployment field, what fields do you have?

super_saiyan · ‎11-25-2022

Hi, I have shared the logs with you in DM

kamlesh_vaghela · ‎11-21-2022

@super_saiyan

Can you please share some sample events?

Meanwhile, you can try this rename as well.

| rename "ops.steps.steps.address.deployment" as deployment

KV

super_saiyan · ‎11-21-2022

Thanks much @kamlesh_vaghela
I have shared the logs in DM, please check

Receiving an error while using the mvexpand command (does not exist in the data)

data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation