Splunk Search

How to combine multiple values to single row

staymini
Explorer

I want to divide different multi-values based on IP.

Current results:

IPdateeventrisk
1.1.1.1

2022-01-01

2022-01-02

apache struts

ipv4 fragment

high

row

 

my search:

mysearch 
| mvexpand date
| mvexpand event
| mvexpand risk

| table ip date event risk

reuslt:

IPdateeventrisk
1.1.1.1

2022-01-01

apache struts

high

1.1.1.1

2022-01-01

apache struts

row

1.1.1.1

2022-01-01

ipv4 fragment

high

1.1.1.12022-01-01

 

ipv4 fragment

row

1.1.1.1

2022-01-02

apache struts

high

1.1.1.1

2022-01-02

apache struts

row

1.1.1.1

2022-01-02

ipv4 fragment

high

1.1.1.1

2022-01-02

ipv4 fragment

row

 

I want

IPdateeventrisk
1.1.1.1

2022-01-01

apache struts

high

1.1.1.1

2022-01-02

ipv4 fragment

row

please help me...

Labels (2)

johnhuang
Motivator

Try this:

MySearch
| eval combined=mvzip(mvzip(event, risk, "|"), date, "|")
| mvexpand combined
| rex field=combined "^(?<date>[^|]*)\|(?<event>[^|]*)\|(?<risk>[^|]*)"
| table ip date event risk

 
If your data contains "|", you can use a different delimiter like ";".

 

staymini
Explorer

Oh, thank you so much.

0 Karma

SinghK
Builder

I think just dedup on event field would do ..

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The grouping command is called, unintuitively, stats.  Events are grouped by the fields specified in the by clause, like this:

| stats values(*) as * by event
| table IP date event risk

Another way is like this:

| stats count by IP date event risk
| table IP date event risk
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and ...

Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and Splunk ES Protecting a ...

It's Customer Success Time at .conf25

Hello Splunkers,   Ready for .conf25? The customer success and experience team is and can’t wait to see you ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...