Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

extract a multiline field value into multiple events

yashaswinig2210
Engager
‎12-21-2020 12:31 AM

Hi,

I have a query which gives GroupName and its members in the below format

 

GroupName                    member
Domain Admins  CN=firstname1\, lastname1 P0,OU=P0-Accounts,OU=test OU
                                   CN=firstname2\, lastname2 P1,OU=P1-Accounts,OU=test OU
                                   CN=firstname3\, lastname3 P3,OU=P3-Accounts,OU=test OU

And im trying to extract it in multiple events like below seperately for each and every member

GroupName                    member
Domain Admins            CN=firstname1\, lastname1 P0,OU=P0-Accounts,OU=test OU
 Domain Admins           CN=firstname2\, lastname2 P1,OU=P1-Accounts,OU=test OU
 Domain Admins           CN=firstname3\, lastname3 P3,OU=P3-Accounts,OU=test OU

 

 

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-21-2020 12:41 AM

Does mvexpand work for you?

"your search"
|mvexpand member

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-21-2020 12:41 AM

Does mvexpand work for you?

"your search"
|mvexpand member

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

yashaswinig2210
Engager
‎12-21-2020 01:03 AM

@renjith_nair  No mvexpand didnt work

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-21-2020 02:09 AM

Ok , so why didn't work, is it not a multi value field? or can you share the search which results in the existing state?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

yashaswinig2210
Engager
‎12-21-2020 02:23 AM

Hey thanks now I realised my mistake i have used mvexpand on my lookup so it didnt work and now I tried mvexpand on actual index and sourcetype its working fine

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...