Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I table 3 distinct values within the same event if all values share the same field name?

monteirolopes
Communicator
‎04-13-2016 12:41 PM

Hi,

In my log, I have the same name field for three distinct values in the same event. For example:

...
Security ID:Joseph Security ID:Admin Security ID:Lopes
..

When I use the search:

... | table Security_ID

Splunk shows me:
(2 events)

Security ID

Joseph
Admin
Lopes

...

John
Felippe
Brian

How cCan I distinguish this information on three distinct fields in a search? I tried to create field extractions, but the log has a lot of data and my sample does not appear by entire.

Security ID

Joseph (field 1)
Admin (field 2)
Lopes (field 3)
...

John (field 1)
Felippe (field 2)
Brian (field 3)

Best regards,
Lopes.

tableid.jpg
Preview file
20 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-13-2016 01:21 PM

Here is a runanywhere example of how you can do this

| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | nomv id | table id

If you wan them as separate fields you could do this

| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | eval f1=mvindex(id, 0) | eval f2=mvindex(id, 1) | eval f3=mvindex(id, 2) | table f1 f2 f3

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-13-2016 01:21 PM

Here is a runanywhere example of how you can do this

| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | nomv id | table id

If you wan them as separate fields you could do this

| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | eval f1=mvindex(id, 0) | eval f2=mvindex(id, 1) | eval f3=mvindex(id, 2) | table f1 f2 f3
Reply
Solved! Jump to solution

monteirolopes
Communicator
‎04-14-2016 05:43 AM

Is there a generic way to do without writing the values ​​of the lines? I have a lot of event values ​​in the same search.

0 Karma
Reply
Solved! Jump to solution

monteirolopes
Communicator
‎04-14-2016 10:02 AM

Worked perfectly!

Thank you very much!

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎04-18-2016 04:45 PM

Hi @monteirolopes

Glad you were able to find a solution on Answers from @sundareshr 🙂 Please don't forget to resolve the post by clicking "Accept" directly below his answer. This will make it easier to find for other users with a similar issue. Thanks!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎04-14-2016 08:49 AM

Not sure I understand. This is is runanywhere example. When you use it, you will ignore everthing before the rex command. The rex is a generic regular expression that will extract as long as the field name ends with "ID:" and the values are single word values. If there could be more than 3 fields, you can change the max_match to whatever number you think you need. Setting max_match to 0 will yield unlimited matches in a single event.

As far as the mvindex function is concerned, not sure there is a generic way to do that.

Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top