Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract multiple name value pairs from a field

jbax
Engager
‎07-06-2020 10:34 PM

Hello,

I have a field that contains the string below. 

a) There can be fewer/more than the 4 events listed below.  

b) Value of the events will be different.

(event=aa)(event=bb)(event=cc)(event=normal)

 

=====================================================

1) How can I create a new field events that equals "aa,bb,cc,normal"?

2) Is there a way to exclude the normal event?  So field events = "aa,bb,cc" only? 

3) Is there a way to make it list like so I can filter on these events values?  (ie - potentially count # of events with aa or cc or (aa + cc)?) 

4) Is there a way to count the events returned in the field?  

Thank you!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-06-2020 11:09 PM

@jbax,

Try regex

 

|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"

 

From the result, you can do rest of the stats

Sample data

 

|makeresults|eval events="(event=aa)(event=bb)(event=cc)(event=normal) (event=xx)(event=yy)(event=zz)(event=normal)"|makemv events|mvexpand events|streamstats count as uniqueField
|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"
|eval Total=mvcount(EVENTS)
|stats count as event_count,max(Total) as Total by EVENTS,uniqueField

 

 

Let's know your final output format. We can fine tune w.r.t count and total

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-06-2020 11:09 PM

@jbax,

Try regex

 

|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"

 

From the result, you can do rest of the stats

Sample data

 

|makeresults|eval events="(event=aa)(event=bb)(event=cc)(event=normal) (event=xx)(event=yy)(event=zz)(event=normal)"|makemv events|mvexpand events|streamstats count as uniqueField
|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"
|eval Total=mvcount(EVENTS)
|stats count as event_count,max(Total) as Total by EVENTS,uniqueField

 

 

Let's know your final output format. We can fine tune w.r.t count and total

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

jbax
Engager
‎07-07-2020 09:08 PM

@renjith_nair 

 

Thanks, this worked well for me!   Would you know of a way to exclude values (ie - normal)?  

Thank you!

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-07-2020 09:26 PM

Sure. Just add this after the rex command

|eval EVENTS=mvfilter(!match(EVENTS,"normal"))
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...