Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with splitting multiline event needed

damucka
Builder
‎10-14-2021 02:37 AM

Hello,

I read my data with the inputlookup command and try to count the different occurrences of the field fields.SID as below:

 

 

 

 

| makeresults
| eval time=relative_time(now(),"-24h")
| eval time=ceil(time)
| table time
| map [ |inputlookup incidents where alert_time > $time$ ]

| join incident_id 
  [ |inputlookup incident_results ]
| fields fields.SID
| search fields.SID=*
| mvexpand fields.SID

 

 

 

 

 

Unfortunately, whatever tricks I do I am always getting several SIDs packed into a single event, see the screenshot below. 

How would I split it the way to have each fields.SID in separate row to be able to count it?

Kind Regards,

Kamil

Labels (2)
Labels
Tags (1)
Preview file
72 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

damucka
Builder
‎10-20-2021 02:32 AM

I created another question where I rephrased the issue and got the solution below. Therefore i am closing this one.

https://community.splunk.com/t5/Splunk-Search/Help-with-regex-needed/m-p/571370#M199106

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

damucka
Builder
‎10-20-2021 02:32 AM

I created another question where I rephrased the issue and got the solution below. Therefore i am closing this one.

https://community.splunk.com/t5/Splunk-Search/Help-with-regex-needed/m-p/571370#M199106

 

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...