How to get the data in groups for a particular set...

gndivya · ‎01-14-2020

Hi,

I have 2 sets of data as below.

Set1
User1 dest1 Time1 EventCode-4722
User1 dest1 Time2 EventCode-4726
User1 dest1 Time3 EventCode-4722
User1 dest1 Time4 EventCode-4726
User1 dest1 Time5 EventCode-4722

Set2
User2 dest2 Time1 EventCode-4726
User2 dest2 Time2 EventCode-4722
User2 dest2 Time3 EventCode-4726

I need to get all the complete set (includes other fields) of data which starts with Event code 4722 and ends with 4726. How can I achieve this?

I want data as
set 1
User1 dest1 Time1 EventCode-4722
User1 dest1 Time2 EventCode-4726

set 2
User1 dest1 Time3 EventCode-4722
User1 dest1 Time4 EventCode-4726

set3
User2 dest2 Time2 EventCode-4722
User2 dest2 Time3 EventCode-4726

Please help. thanks in advance.

kamlesh_vaghela · ‎01-14-2020

@gndivya

Can you please try this?

YOUR_SEARCH | transaction endswith=EventCode="EventCode-4722" 
| where linecount=2 
| eval tmp=mvzip(Time,EventCode) 
| mvexpand tmp 
| eval Time=mvindex(split(tmp,","),0),EventCode=mvindex(split(tmp,","),1) 
| table User Dest Time EventCode

Sample Search:

| makeresults count=5 
| eval a=1 
| accum a 
| eval User="User1", Dest="dest1",Time="Time".a , c=a%2, EventCode="EventCode-".if(c==1,4722,4726) 
| table _time User Dest Time EventCode 
| rename comment as "Upto this is for data generation only" 
| transaction endswith=EventCode="EventCode-4722" 
| where linecount=2 
| eval tmp=mvzip(Time,EventCode) 
| mvexpand tmp 
| eval Time=mvindex(split(tmp,","),0),EventCode=mvindex(split(tmp,","),1) 
| table User Dest Time EventCode



| makeresults count=3 
| eval a=1 
| accum a 
| eval User="User2", Dest="dest2",Time="Time".a , c=a%2, EventCode="EventCode-".if(c==1,4726,4722) 
| table _time User Dest Time EventCode
| rename comment as "Upto this is for data generation only"
| transaction endswith=EventCode="EventCode-4722" 
| where linecount=2 
| eval tmp=mvzip(Time,EventCode) 
| mvexpand tmp 
| eval Time=mvindex(split(tmp,","),0),EventCode=mvindex(split(tmp,","),1) 
| table User Dest Time EventCode

How to get the data in groups for a particular set of data?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to get the data in groups for a particular set of data?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...