Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract multiple name value pairs from a field

jbax
Engager
‎07-06-2020 10:34 PM

Hello,

I have a field that contains the string below. 

a) There can be fewer/more than the 4 events listed below.  

b) Value of the events will be different.

(event=aa)(event=bb)(event=cc)(event=normal)

 

=====================================================

1) How can I create a new field events that equals "aa,bb,cc,normal"?

2) Is there a way to exclude the normal event?  So field events = "aa,bb,cc" only? 

3) Is there a way to make it list like so I can filter on these events values?  (ie - potentially count # of events with aa or cc or (aa + cc)?) 

4) Is there a way to count the events returned in the field?  

Thank you!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-06-2020 11:09 PM

@jbax,

Try regex

 

|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"

 

From the result, you can do rest of the stats

Sample data

 

|makeresults|eval events="(event=aa)(event=bb)(event=cc)(event=normal) (event=xx)(event=yy)(event=zz)(event=normal)"|makemv events|mvexpand events|streamstats count as uniqueField
|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"
|eval Total=mvcount(EVENTS)
|stats count as event_count,max(Total) as Total by EVENTS,uniqueField

 

 

Let's know your final output format. We can fine tune w.r.t count and total

 

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-06-2020 11:09 PM

@jbax,

Try regex

 

|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"

 

From the result, you can do rest of the stats

Sample data

 

|makeresults|eval events="(event=aa)(event=bb)(event=cc)(event=normal) (event=xx)(event=yy)(event=zz)(event=normal)"|makemv events|mvexpand events|streamstats count as uniqueField
|rex field=events max_match=0 "event=(?<EVENTS>.+?)\)"
|eval Total=mvcount(EVENTS)
|stats count as event_count,max(Total) as Total by EVENTS,uniqueField

 

 

Let's know your final output format. We can fine tune w.r.t count and total

 

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

jbax
Engager
‎07-07-2020 09:08 PM

@renjith_nair 

 

Thanks, this worked well for me!   Would you know of a way to exclude values (ie - normal)?  

Thank you!

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-07-2020 09:26 PM

Sure. Just add this after the rex command

|eval EVENTS=mvfilter(!match(EVENTS,"normal"))
Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...