Solved: Help with splitting multiline event needed

damucka · ‎10-14-2021

Hello,

I read my data with the inputlookup command and try to count the different occurrences of the field fields.SID as below:

| makeresults
| eval time=relative_time(now(),"-24h")
| eval time=ceil(time)
| table time
| map [ |inputlookup incidents where alert_time > $time$ ]

| join incident_id 
  [ |inputlookup incident_results ]
| fields fields.SID
| search fields.SID=*
| mvexpand fields.SID

Unfortunately, whatever tricks I do I am always getting several SIDs packed into a single event, see the screenshot below.

How would I split it the way to have each fields.SID in separate row to be able to count it?

Kind Regards,

Kamil

damucka · ‎10-20-2021

I created another question where I rephrased the issue and got the solution below. Therefore i am closing this one.

https://community.splunk.com/t5/Splunk-Search/Help-with-regex-needed/m-p/571370#M199106

View solution in original post

damucka · ‎10-20-2021

I created another question where I rephrased the issue and got the solution below. Therefore i am closing this one.

https://community.splunk.com/t5/Splunk-Search/Help-with-regex-needed/m-p/571370#M199106

Help with splitting multiline event needed

eval

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation