Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Expand the multivalue fields

RSS_STT
Explorer
‎01-17-2024 12:13 AM

Trying to expand the multivalue field with one to one mapping as shown in image.

mvexpand create multiple row with all column matching value.

Actual data with multivalue.

childchild_Namedv_classn_namedirectionnameparent
55555      



Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-17-2024 04:30 AM

As @gcusello already noticed, you probably used a lot of values() in your stats.

As you can see yourself, it results with a list of multivalued fields. The problem with that is that each of those multivalued fields is a separate entity and there is no relationship between them. So you can reliably split those values into single rows unless you have a very very strong guarantee for some properties of your data.

For example, for source data like

field1field2field3
12 
1 3
145
16 
18 
1 9
1 

11

 You'd get a result like this:

values(field1)values(field2)values(field3)
12
4
6
8		3
5
9
11

If you tried "unpacking" it assuming that the values from the two latter colums match 1-1 you'd get completely ridiculous results.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2024 12:44 AM

It is not clear how you arrived at your current state, and it might be easier to solve with some sight of your current search and events (as @gcusello  has indicated), however, assuming you still want to go forward from where you seem to be, you could try something like this:

| eval row=mvrange(0,mvcount(child_Name))
| mvexpand row
| foreach child_Name direction dv_u_parent_class parent
    [| eval <<FIELD>>=mvindex(<<FIELD>>,row)]
| fields - _row
0 Karma
Reply

RSS_STT
Explorer
‎01-17-2024 10:48 PM

it's possible to write partial data in to lookup file on base on some condition.

Like...

if dv_u_parent_class = ci_appld than outputlookup append=true abc.csv

|where dv_u_parent_class != ci_appld

and run time query should show rest two events.

 

childchild_Namedv_u_parent_classfqdn_namedirectionname

parent

55555xyz PROD
ci_appld		xyz.srv.comR toYxyz111111
55555abc PRODci_appldxyz.srv.com
R to Y		xyz
222222
55555zzzz-FSE2ci_netcomxyz.srv.comY to Rxyz333333
55555abc.srv.comci_esx_appxyz.srv.comY to Rxyz444444
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-17-2024 10:58 PM

Hi @RSS_STT ,

as I said, you can use my search and after use some conditions to filter results.

Ciao.

Giuseppe

0 Karma
Reply

RSS_STT
Explorer
‎01-18-2024 12:04 AM

Im able to get that result but not getting logic to write filter data into lookup and later drop the event which written to lookup.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-18-2024 01:57 AM

Logic that you could use could go something like this

<your search>
| appendpipe
  [| where <conditions for events you want to output>
   | outputlookup <your csv>
   | where false()
   ``` This removes all the events so that they are not appended to your main event pipeline ```
  ]
| where <conditions for events you want to keep i.e. not the events you wrote to the csv>
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-17-2024 12:20 AM

Hi @RSS_STT,

I suppose that your search is something like this:

<your-search>
| stats 
   values(child_Name) AS child_Name
   values(dv_u_parent_class) AS dv_u_parent_class
   values(fqdn_name) AS fqdn_name
   values(direction) AS direction
   values(name) AS name
   values(parent) AS parent
   BY child

You shoud try something like this:

<your-search>
| stats 
   values(fqdn_name) AS fqdn_name
   values(name) AS name
   BY child child_Name dv_u_parent_class direction parent

I could be more detailed if you can share your search.

Ciao.

Giuseppe

0 Karma
Reply

RSS_STT
Explorer
‎01-17-2024 12:33 AM

Yes, I was trying the first query shared by you previously but second query shared by you also creating 96 record where i'm expecting only 4 record.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-17-2024 12:44 AM

Hi @RSS_STT,

probably there are more combinations of your values, not only 4.

You have two solutions: use less fields as keys in the stats command, but you'll have some filed with multivalue.

Otherwise you should identify some rules to filter your results.

Anyway, the only way to have only one value in a stats command is to put it in the BY clause.

There's also another solution, but in this way you loose some results: instead values, you could use the first option, taking only one value for each: I don't know (but I don't think) that this is acceptable for you!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top