Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dealing with Lists

richtate
Path Finder
‎08-09-2021 12:06 PM

I have network logs that show various network device communication that are in an index in Splunk.  I have another index that has information about the devices that I need to report on.  But I'm having issues because the network logs are summarizing the network activity and showing all the devices with the same activity, as seen below:

richtate_0-1628535722543.png

How can I get the individual information about the devices and/or how can I enumerate the information above.  If I send to a table, the device_ids will be blank, even if there is only one device in the list.

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2021 08:44 AM 
| spath device_ids{} output=device_ids
| mvexpand device_ids

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2021 12:03 AM 
your first search
| rename device_ids as device_id
| append [your second search
  | rename device_field as device_id]
| stats values(*) as * by device_id
0 Karma
Reply
Solved! Jump to solution

richtate
Path Finder
‎08-10-2021 09:33 AM

device_ids still come in as a list and doesn't expand to find the device from the second list.  What am I doing wrong?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2021 09:38 AM

Can you share the raw event rather than an image of the formatted event?

0 Karma
Reply
Solved! Jump to solution

richtate
Path Finder
‎08-10-2021 10:50 AM

The base index of assets is:

index=asset sourcetype=Network:Asset
| table id ipAddress macAddress name type tags

The index with network activity is:

index=test sourcetype=network | table description device_ids devices lastSeen score type

I'm trying to merge the data together with the asset information so I know what and where the activity is.  I'd like a table like this:

id ipAddress name description lastSeen score type macAddress tags

I could join the indexes to get what I'm looking for using device ids as you suggested.  But the issue I'm having is the second SPL with the list of ids in the device_ids field.  I don't know how to enumerate them to merge the asset index with the test index.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2021 03:09 PM

I can't see how we can help you without you sharing the events you are dealing with because we have suggested things based on our assumptions, which you say don't give you what you want, so our assumptions are probably incorrect. It is fine for you to not share, but I can't see how we can help you further in that case.

0 Karma
Reply
Solved! Jump to solution

richtate
Path Finder
‎08-10-2021 03:50 PM

richtate_0-1628635788154.png

Here is the table output of the first SPL

 

0 Karma
Reply
Solved! Jump to solution

richtate
Path Finder
‎08-10-2021 03:55 PM

richtate_0-1628636022752.png

Here is the second SPL in table format, you can see the device_ids are blank but the affectedDevicesCount show there are over 1300 ids in the device_ids field.  That is why I posted the _raw unformated data to open because I could expand the list given for the device_ids field.

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2021 12:05 AM

It looks like the field is not being extracted. In order to help you extract it in the search, we need to see the raw data from the events. You haven't posted the raw event - rerun the search in verbose mode, click on the events tab, expand one (or more) of the event (if it has more lines to show) and copy the raw data from the event.

0 Karma
Reply
Solved! Jump to solution

richtate
Path Finder
‎08-11-2021 08:29 AM

richtate_0-1628695604982.png

Sorry, I'm a n00b.  Here is the first event in the previous screenshot.  You can see the device_ids are returned, but not shown on the table.  I need to take each device_id and return an event for each id, that way I can join with the other index for network asset information.  As you can see now, I don't know what asset it transmitting the packets.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2021 08:44 AM 
| spath device_ids{} output=device_ids
| mvexpand device_ids
Reply
Solved! Jump to solution

richtate
Path Finder
‎08-11-2021 09:16 AM

Thank you, that is exactly what I was looking for.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2021 05:04 PM

Break the list up into separate events by using mvexpand device_ids.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richtate
Path Finder
‎08-10-2021 09:31 AM

I attempted to use mxexpand but the same result on search was returned.  Only 1 event exactly as shown above.  How will this command create new events with the same data, only an individual device_id?  I tried using a table, but still nothing:

index="test" sourcetype="network" 
| mvexpand device_ids
| table device_ids description devices lastSeen score type

 

Sorry, I'm a n00b

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...