Solved: Re: field has multiple value in an event .Get the ...

bharat149 · ‎06-09-2020

I have an event for example:

request="GET /?act=auth&url=auth&email=auth&type=auth&status=auth HTTP/1.1" status=403 reqid="xxxxxxxxxx"

I need status to bt 403, not auth.

I am executing the query

index="abc" | eval status = mvindex(status,-1) | status count by status

I need to return 403 with count 1 but it is returing auth with count 1

@to4kawa Please check

to4kawa · ‎06-11-2020

index="abc" 
| rex "\sstatus=(?<status>\d+)\s"
| stats count by status

Why is the `status` a multiple value?
There is something wrong with the field values.

I have no choice but to re-extract it.

View solution in original post

to4kawa · ‎06-11-2020

index="abc" 
| rex "\sstatus=(?<status>\d+)\s"
| stats count by status

Why is the `status` a multiple value?
There is something wrong with the field values.

I have no choice but to re-extract it.

to4kawa · ‎06-09-2020

what's your current query?

bharat149 · ‎06-11-2020

Current query
index "abc" | eval status = mvindex(index,0) | stats values(status)

This should return auth

to4kawa · ‎06-11-2020

you said

I execute multiple queries
1) stats count by the status it returns auth
2) tried also mvindex(status,-1) to get the last index that didn't work it return auth
3) stats values(status) return auth

but the query you display is

index "abc" | eval status = mvindex(index,0) | stats values(status)

Which is true?

If you're presented with a query that doesn't work, I don't know what it is.

field has multiple value in an event .Get the last value

using Splunk Enterprise

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!