Solved: Help with splitting multiline event needed

damucka · ‎10-14-2021

Hello,

I read my data with the inputlookup command and try to count the different occurrences of the field fields.SID as below:

| makeresults
| eval time=relative_time(now(),"-24h")
| eval time=ceil(time)
| table time
| map [ |inputlookup incidents where alert_time > $time$ ]

| join incident_id 
  [ |inputlookup incident_results ]
| fields fields.SID
| search fields.SID=*
| mvexpand fields.SID

Unfortunately, whatever tricks I do I am always getting several SIDs packed into a single event, see the screenshot below.

How would I split it the way to have each fields.SID in separate row to be able to count it?

Kind Regards,

Kamil

damucka · ‎10-20-2021

I created another question where I rephrased the issue and got the solution below. Therefore i am closing this one.

https://community.splunk.com/t5/Splunk-Search/Help-with-regex-needed/m-p/571370#M199106

View solution in original post

damucka · ‎10-20-2021

I created another question where I rephrased the issue and got the solution below. Therefore i am closing this one.

https://community.splunk.com/t5/Splunk-Search/Help-with-regex-needed/m-p/571370#M199106

Help with splitting multiline event needed

eval

fields

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!