Splunk Search

How to combine multiple values to single row

staymini
Explorer

I want to divide different multi-values based on IP.

Current results:

IPdateeventrisk
1.1.1.1

2022-01-01

2022-01-02

apache struts

ipv4 fragment

high

row

 

my search:

mysearch 
| mvexpand date
| mvexpand event
| mvexpand risk

| table ip date event risk

reuslt:

IPdateeventrisk
1.1.1.1

2022-01-01

apache struts

high

1.1.1.1

2022-01-01

apache struts

row

1.1.1.1

2022-01-01

ipv4 fragment

high

1.1.1.12022-01-01

 

ipv4 fragment

row

1.1.1.1

2022-01-02

apache struts

high

1.1.1.1

2022-01-02

apache struts

row

1.1.1.1

2022-01-02

ipv4 fragment

high

1.1.1.1

2022-01-02

ipv4 fragment

row

 

I want

IPdateeventrisk
1.1.1.1

2022-01-01

apache struts

high

1.1.1.1

2022-01-02

ipv4 fragment

row

please help me...

Labels (2)

johnhuang
Motivator

Try this:

MySearch
| eval combined=mvzip(mvzip(event, risk, "|"), date, "|")
| mvexpand combined
| rex field=combined "^(?<date>[^|]*)\|(?<event>[^|]*)\|(?<risk>[^|]*)"
| table ip date event risk

 
If your data contains "|", you can use a different delimiter like ";".

 

staymini
Explorer

Oh, thank you so much.

0 Karma

SinghK
Builder

I think just dedup on event field would do ..

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The grouping command is called, unintuitively, stats.  Events are grouped by the fields specified in the by clause, like this:

| stats values(*) as * by event
| table IP date event risk

Another way is like this:

| stats count by IP date event risk
| table IP date event risk
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...