Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract a multiline field value into multiple events

yashaswinig2210
Engager
‎12-21-2020 12:31 AM

Hi,

I have a query which gives GroupName and its members in the below format

 

GroupName                    member
Domain Admins  CN=firstname1\, lastname1 P0,OU=P0-Accounts,OU=test OU
                                   CN=firstname2\, lastname2 P1,OU=P1-Accounts,OU=test OU
                                   CN=firstname3\, lastname3 P3,OU=P3-Accounts,OU=test OU

And im trying to extract it in multiple events like below seperately for each and every member

GroupName                    member
Domain Admins            CN=firstname1\, lastname1 P0,OU=P0-Accounts,OU=test OU
 Domain Admins           CN=firstname2\, lastname2 P1,OU=P1-Accounts,OU=test OU
 Domain Admins           CN=firstname3\, lastname3 P3,OU=P3-Accounts,OU=test OU

 

 

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-21-2020 12:41 AM

Does mvexpand work for you?

"your search"
|mvexpand member

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-21-2020 12:41 AM

Does mvexpand work for you?

"your search"
|mvexpand member

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

yashaswinig2210
Engager
‎12-21-2020 01:03 AM

@renjith_nair  No mvexpand didnt work

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-21-2020 02:09 AM

Ok , so why didn't work, is it not a multi value field? or can you share the search which results in the existing state?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

yashaswinig2210
Engager
‎12-21-2020 02:23 AM

Hey thanks now I realised my mistake i have used mvexpand on my lookup so it didnt work and now I tried mvexpand on actual index and sourcetype its working fine

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...