Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract multiple name value pairs from a field

jbax
Engager
‎07-06-2020 10:34 PM

Hello,

I have a field that contains the string below. 

a) There can be fewer/more than the 4 events listed below.  

b) Value of the events will be different.

(event=aa)(event=bb)(event=cc)(event=normal)

 

=====================================================

1) How can I create a new field events that equals "aa,bb,cc,normal"?

2) Is there a way to exclude the normal event?  So field events = "aa,bb,cc" only? 

3) Is there a way to make it list like so I can filter on these events values?  (ie - potentially count # of events with aa or cc or (aa + cc)?) 

4) Is there a way to count the events returned in the field?  

Thank you!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-06-2020 11:09 PM

@jbax,

Try regex

 

|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"

 

From the result, you can do rest of the stats

Sample data

 

|makeresults|eval events="(event=aa)(event=bb)(event=cc)(event=normal) (event=xx)(event=yy)(event=zz)(event=normal)"|makemv events|mvexpand events|streamstats count as uniqueField
|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"
|eval Total=mvcount(EVENTS)
|stats count as event_count,max(Total) as Total by EVENTS,uniqueField

 

 

Let's know your final output format. We can fine tune w.r.t count and total

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-06-2020 11:09 PM

@jbax,

Try regex

 

|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"

 

From the result, you can do rest of the stats

Sample data

 

|makeresults|eval events="(event=aa)(event=bb)(event=cc)(event=normal) (event=xx)(event=yy)(event=zz)(event=normal)"|makemv events|mvexpand events|streamstats count as uniqueField
|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"
|eval Total=mvcount(EVENTS)
|stats count as event_count,max(Total) as Total by EVENTS,uniqueField

 

 

Let's know your final output format. We can fine tune w.r.t count and total

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

jbax
Engager
‎07-07-2020 09:08 PM

@renjith_nair 

 

Thanks, this worked well for me!   Would you know of a way to exclude values (ie - normal)?  

Thank you!

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-07-2020 09:26 PM

Sure. Just add this after the rex command

|eval EVENTS=mvfilter(!match(EVENTS,"normal"))
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...