Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to handle multivalue field?

manimuthu
Loves-to-Learn Everything
‎03-30-2022 06:35 AM

 part 1 - I have already grouped the events based on log.level (which has values like error,info,warn,fatal) stats count(log.level) by log.level . 

current output

log.level  count

error          3

warn          31

fatal          1

info          7

part 2 - i have a multivalue field mulVal at different levels.i need to loop all fields to find those mulVal (at different levels) and get the first not null mulVal field's value . if that field itself is not found in any levels then i need to consider it as "no value" for that event. next i need to get the mulVal (if any mulVal's value found or "no value") and group it based on log.level as shown in part-1 and need to display the mulVal 's value of latest event in each group

required output

log.level      mulVal           count

error             sample        3

warn             hello             31

fatal            no value           1

info             value                7

thanks in advance

Tags (1)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-30-2022 10:17 PM

@manimuthu  - I'm assuming that your JSON is being extracted properly with KV_MODE=json. (Like in your sample events fields like the app.appID, X.level,  and all are getting extracted.)

You can use the below query:

<your search query>
| rename "X.level" as log_level
| foreach * [| eval my_multi_value_field = if(like("<<FIELD>>", "%.mulVal%"), '<<FIELD>>', null())]
| fillnull value="no value" my_multi_value_field
| stats count by log_level, my_multi_value_field

 

I hope this helps!! Kindly upvote and accept the answer if it resolves your issue!!

0 Karma
Reply

manimuthu
Loves-to-Learn Everything
‎04-04-2022 02:59 AM

Hi .. thanks for the reply. i dont know where i am missing. its not working for me.

just to check i tried like...

| foreach *.stackTrace [| eval <<FIELD>> = "hello"]
| stats latest(field1.field2.x.x.stackTrace) as stacktrace by fieldN.msg

--->hello is not getting printed

.........

but when i give 

| foreach field1.field2.x.x.stackTrace [| eval <<FIELD>> = "hello"]
| stats latest(field1.field2.x.x.stackTrace) as stacktrace by fieldN.msg

--->hello is getting displayed 

could u kindly help me to identify where and what i am missing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-04-2022 04:42 AM

Wait a second. Do you want to use foreach to "fill" a value where there is none?

It won't work this way.

If there is no field field1.field2.whatever.stackTrace, there is nothing to be matched by the wildcard.

I thought of an alternative approach - horribly ugly and "unsplunky" - use wildcard to match all fields, then use some kind of condition to verify if the field name is at the proper nesting level then add a ".stackTrace" to it and assign it a value. Unfortunately, splunk's parser won't let you do that apparently.

0 Karma
Reply

manimuthu
Loves-to-Learn Everything
‎04-04-2022 04:50 AM

no @PickleRick I dont want to fill a value where there is none.  some logs has field1.field2.whatever.stackTrace and some logs dont have that field. 

with wildcard *.stacktrace in foreach , i am not able to access that field. it is accessible only if i give directly field1.field2.x.x.stacktrace

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-04-2022 06:09 AM

Interesting because it seems that foreach does something strange with those "path" fields.

Compare for yourself

| makeresults 
| eval _raw="{\"a\":\"some\",\"b\":[{\"c\":{\"whatever\": {\"c\":\"dumb\"},\"not_matched\":\"really, not\",\"d\":{\"another_level\":{\"c\":\"example\" }},\"leftover\":\"here\"]}"
| kv

(you can use spath instead of kv as well)

and

| makeresults 
| eval _raw="{\"a\":\"some\",\"b\":[{\"c\":{\"whatever\": {\"c\":\"dumb\"},\"not_matched\":\"really, not\",\"d\":{\"another_level\":{\"c\":\"example\" }},\"leftover\":\"here\"]}"
| kv
| foreach *.c
   [ | eval <<FIELD>>= "matched"]
0 Karma
Reply

manimuthu
Loves-to-Learn Everything
‎03-30-2022 11:16 AM

1.mulVal field in different level

   app: { 

        appID: xxx

   }

   X: { 

     level: warn

     Message: err msg. 

   X: { 

     mulVal:[ abc]      

   Y: { 

       Z: { 

         Log: { 

         }

         mulVal: [ sample 1

      Sample2  ]

       }........

2. In some events no mulVal field is found

   app: { 

        appID: xxx

   }

   X: { 

     level: warn

     Message: err msg. 

   X: {     

   Y: { 

       Z: { 

         Log: { 

         }     ..........

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-30-2022 12:30 PM

OK. It's not a well-formed json, but let's presume for now that it represents the structure of your events.

And what would be the desired output that you would like to achieve?

0 Karma
Reply

manimuthu
Loves-to-Learn Everything
‎03-30-2022 09:13 AM

1.each event has a multivalue field at different levels in an event. (x.x.mulVal or x.y.z.mulVal or a.b.c.d.mulval) i need to find the first not null mulVal field's value

2.In some events that mulVal field itself is not found 

i hav to count the events based on the log.level (stats count(log.level) by log.level . )and  need to display the latest event's mulVal of each log.level. (i.e. need to find the latest event's mulVal of log.level = warn group ,latest event's mulVal of log.level = error group ,latest event's mulVal of log.level = info group ,latest event's mulVal of log.level = fatal group ) , if mulVal is empty or null then "no value" needs to appear

log.level      mulVal           count

error             sample        3

warn             hello             31

fatal            "no value"           1

info             value                7

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-30-2022 09:57 AM

Judging by your notation, the event is in some form of structured data. Most probably json. Am I right?

Give us a sample or a few samples if there are possible variations, it will be much easier.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-30-2022 09:54 AM

Can you please provide the sample raw logs (after masking data is necessary)? Because I'm trying to under mulVal and by that what you are referring to. Everything else seems clear.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-30-2022 07:12 AM

It's a bit unclear what you want to do but remember that there are no "holes" in multivalued fields. They are good for providing - for example - output list of a stats command when the actual order of values and continuity is not important but it's not good for looking up values by index and the such.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...