Solved: Help with splitting multiline event needed

damucka · ‎10-14-2021

Hello,

I read my data with the inputlookup command and try to count the different occurrences of the field fields.SID as below:

| makeresults
| eval time=relative_time(now(),"-24h")
| eval time=ceil(time)
| table time
| map [ |inputlookup incidents where alert_time > $time$ ]

| join incident_id 
  [ |inputlookup incident_results ]
| fields fields.SID
| search fields.SID=*
| mvexpand fields.SID

Unfortunately, whatever tricks I do I am always getting several SIDs packed into a single event, see the screenshot below.

How would I split it the way to have each fields.SID in separate row to be able to count it?

Kind Regards,

Kamil

damucka · ‎10-20-2021

I created another question where I rephrased the issue and got the solution below. Therefore i am closing this one.

https://community.splunk.com/t5/Splunk-Search/Help-with-regex-needed/m-p/571370#M199106

View solution in original post

damucka · ‎10-20-2021

I created another question where I rephrased the issue and got the solution below. Therefore i am closing this one.

https://community.splunk.com/t5/Splunk-Search/Help-with-regex-needed/m-p/571370#M199106

Help with splitting multiline event needed

eval

fields

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?