Splunk Enterprise

field has multiple value in an event .Get the last value

Engager

I have an event for example:

 

request="GET /?act=auth&url=auth&email=auth&type=auth&status=auth HTTP/1.1" status=403 reqid="xxxxxxxxxx"

 

I need status to bt 403, not auth.

I am executing the query

index="abc" | eval status = mvindex(status,-1) | status count by status

I need to return 403 with count 1 but it is returing auth with count 1

@to4kawa Please check

Labels (1)
Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust
index="abc" 
| rex "\sstatus=(?<status>\d+)\s"
| stats count by status

Why is the `status` a multiple value?
There is something wrong with the field values.

I have no choice but to re-extract it.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust
index="abc" 
| rex "\sstatus=(?<status>\d+)\s"
| stats count by status

Why is the `status` a multiple value?
There is something wrong with the field values.

I have no choice but to re-extract it.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

what's your current query?

0 Karma

Engager

Current query 
index "abc" | eval status = mvindex(index,0) | stats values(status)

This should return auth 

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

you said

I execute multiple queries
1) stats count by the status it returns auth
2) tried also mvindex(status,-1) to get the last index that didn't work it return auth
3) stats values(status) return auth

but the query you display is 

index "abc" | eval status = mvindex(index,0) | stats values(status)

 

Which is true?

If you're presented with a query that doesn't work, I don't know what it is.

 

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!