Re: How to combine multiple values to single row

staymini · ‎01-04-2022

I want to divide different multi-values based on IP.

Current results:

IP

date

event

risk

1.1.1.1

2022-01-01

2022-01-02

apache struts

ipv4 fragment

high

row

my search:

mysearch 
| mvexpand date
| mvexpand event
| mvexpand risk

| table ip date event risk

reuslt:

IP	date	event	risk
1.1.1.1	2022-01-01	apache struts	high
1.1.1.1	2022-01-01	apache struts	row
1.1.1.1	2022-01-01	ipv4 fragment	high
1.1.1.1	2022-01-01	ipv4 fragment	row
1.1.1.1	2022-01-02	apache struts	high
1.1.1.1	2022-01-02	apache struts	row
1.1.1.1	2022-01-02	ipv4 fragment	high
1.1.1.1	2022-01-02	ipv4 fragment	row

I want

IP	date	event	risk
1.1.1.1	2022-01-01	apache struts	high
1.1.1.1	2022-01-02	ipv4 fragment	row

please help me...

johnhuang · ‎01-04-2022

Try this:

MySearch
| eval combined=mvzip(mvzip(event, risk, "|"), date, "|")
| mvexpand combined
| rex field=combined "^(?<date>[^|]*)\|(?<event>[^|]*)\|(?<risk>[^|]*)"
| table ip date event risk

If your data contains "|", you can use a different delimiter like ";".

staymini · ‎01-07-2022

Oh, thank you so much.

SinghK · ‎01-07-2022

I think just dedup on event field would do ..

richgalloway · ‎01-04-2022

The grouping command is called, unintuitively, stats. Events are grouped by the fields specified in the by clause, like this:

| stats values(*) as * by event
| table IP date event risk

Another way is like this:

| stats count by IP date event risk
| table IP date event risk

---
If this reply helps you, Karma would be appreciated.

How to combine multiple values to single row

fields

stats

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?