Extracting values from multivalued field and mergi...

Dhruvi · ‎06-30-2020

For example :

these are some part of my logs:

sender= xyz(receiver=a, receiver =b)

sender= abc(receiver=a,receiver =d)

sender=xyz(receiver=a)

....more entries

And result should be something like:

sender=xyz receiver=a

sender=xyz receiver=b

sender=abc receiver=c

sender=abc receiver=d

and I am using remote button as input

So whenever i give input of receiver=a

it should give me a table like

sender = abc. 1

sender= xyz 2

Need help! To write query 😞

gcusello · ‎06-30-2020

Hi @Dhruvi ,

try something like this:

This is the first:

Your_search
| rex field=sender "^(?<my_sender>[^\(]*)"
| rex max_match=10 field=sender "receiver\s*\=(?<receiver>\w*)"
| mvexpand receiver
| table my_sender receiver

This is the second:

Your_search
| rex field=sender "^(?<my_sender>[^\(]*)"
| rex max_match=10 field=sender "receiver\s*\=(?<receiver>\w*)"
| mvexpand receiver
| stats count BY receiver

Ciao.

Giuseppe

Extracting values from multivalued field and merging

count

eval

field extraction

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!