Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I table 3 distinct values within the same event if all values share the same field name?

monteirolopes
Communicator
‎04-13-2016 12:41 PM

Hi,

In my log, I have the same name field for three distinct values in the same event. For example:

...
Security ID:Joseph Security ID:Admin Security ID:Lopes
..

When I use the search:

... | table Security_ID

Splunk shows me:
(2 events)

Security ID

Joseph
Admin
Lopes

...

John
Felippe
Brian

How cCan I distinguish this information on three distinct fields in a search? I tried to create field extractions, but the log has a lot of data and my sample does not appear by entire.

Security ID

Joseph (field 1)
Admin (field 2)
Lopes (field 3)
...

John (field 1)
Felippe (field 2)
Brian (field 3)

Best regards,
Lopes.

Preview file
20 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-13-2016 01:21 PM

Here is a runanywhere example of how you can do this

| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | nomv id | table id

If you wan them as separate fields you could do this

| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | eval f1=mvindex(id, 0) | eval f2=mvindex(id, 1) | eval f3=mvindex(id, 2) | table f1 f2 f3

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-13-2016 01:21 PM

Here is a runanywhere example of how you can do this

| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | nomv id | table id

If you wan them as separate fields you could do this

| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | eval f1=mvindex(id, 0) | eval f2=mvindex(id, 1) | eval f3=mvindex(id, 2) | table f1 f2 f3
Reply
Solved! Jump to solution

monteirolopes
Communicator
‎04-14-2016 05:43 AM

Is there a generic way to do without writing the values ​​of the lines? I have a lot of event values ​​in the same search.

0 Karma
Reply
Solved! Jump to solution

monteirolopes
Communicator
‎04-14-2016 10:02 AM

Worked perfectly!

Thank you very much!

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎04-18-2016 04:45 PM

Hi @monteirolopes

Glad you were able to find a solution on Answers from @sundareshr 🙂 Please don't forget to resolve the post by clicking "Accept" directly below his answer. This will make it easier to find for other users with a similar issue. Thanks!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎04-14-2016 08:49 AM

Not sure I understand. This is is runanywhere example. When you use it, you will ignore everthing before the rex command. The rex is a generic regular expression that will extract as long as the field name ends with "ID:" and the values are single word values. If there could be more than 3 fields, you can change the max_match to whatever number you think you need. Setting max_match to 0 will yield unlimited matches in a single event.

As far as the mvindex function is concerned, not sure there is a generic way to do that.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...