Splunk Search

How to combine multiple values to single row

staymini
Explorer

I want to divide different multi-values based on IP.

Current results:

IPdateeventrisk
1.1.1.1

2022-01-01

2022-01-02

apache struts

ipv4 fragment

high

row

 

my search:

mysearch 
| mvexpand date
| mvexpand event
| mvexpand risk

| table ip date event risk

reuslt:

IPdateeventrisk
1.1.1.1

2022-01-01

apache struts

high

1.1.1.1

2022-01-01

apache struts

row

1.1.1.1

2022-01-01

ipv4 fragment

high

1.1.1.12022-01-01

 

ipv4 fragment

row

1.1.1.1

2022-01-02

apache struts

high

1.1.1.1

2022-01-02

apache struts

row

1.1.1.1

2022-01-02

ipv4 fragment

high

1.1.1.1

2022-01-02

ipv4 fragment

row

 

I want

IPdateeventrisk
1.1.1.1

2022-01-01

apache struts

high

1.1.1.1

2022-01-02

ipv4 fragment

row

please help me...

Labels (2)

johnhuang
Motivator

Try this:

MySearch
| eval combined=mvzip(mvzip(event, risk, "|"), date, "|")
| mvexpand combined
| rex field=combined "^(?<date>[^|]*)\|(?<event>[^|]*)\|(?<risk>[^|]*)"
| table ip date event risk

 
If your data contains "|", you can use a different delimiter like ";".

 

staymini
Explorer

Oh, thank you so much.

0 Karma

SinghK
Builder

I think just dedup on event field would do ..

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The grouping command is called, unintuitively, stats.  Events are grouped by the fields specified in the by clause, like this:

| stats values(*) as * by event
| table IP date event risk

Another way is like this:

| stats count by IP date event risk
| table IP date event risk
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...