Re: How to combine multiple values to single row

staymini · ‎01-04-2022

I want to divide different multi-values based on IP.

Current results:

IP

date

event

risk

1.1.1.1

2022-01-01

2022-01-02

apache struts

ipv4 fragment

high

row

my search:

mysearch 
| mvexpand date
| mvexpand event
| mvexpand risk

| table ip date event risk

reuslt:

IP	date	event	risk
1.1.1.1	2022-01-01	apache struts	high
1.1.1.1	2022-01-01	apache struts	row
1.1.1.1	2022-01-01	ipv4 fragment	high
1.1.1.1	2022-01-01	ipv4 fragment	row
1.1.1.1	2022-01-02	apache struts	high
1.1.1.1	2022-01-02	apache struts	row
1.1.1.1	2022-01-02	ipv4 fragment	high
1.1.1.1	2022-01-02	ipv4 fragment	row

I want

IP	date	event	risk
1.1.1.1	2022-01-01	apache struts	high
1.1.1.1	2022-01-02	ipv4 fragment	row

please help me...

johnhuang · ‎01-04-2022

Try this:

MySearch
| eval combined=mvzip(mvzip(event, risk, "|"), date, "|")
| mvexpand combined
| rex field=combined "^(?<date>[^|]*)\|(?<event>[^|]*)\|(?<risk>[^|]*)"
| table ip date event risk

If your data contains "|", you can use a different delimiter like ";".

staymini · ‎01-07-2022

Oh, thank you so much.

SinghK · ‎01-07-2022

I think just dedup on event field would do ..

richgalloway · ‎01-04-2022

The grouping command is called, unintuitively, stats. Events are grouped by the fields specified in the by clause, like this:

| stats values(*) as * by event
| table IP date event risk

Another way is like this:

| stats count by IP date event risk
| table IP date event risk

---
If this reply helps you, Karma would be appreciated.

How to combine multiple values to single row

fields

stats

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

Observability Highlights | November 2022 Newsletter

Enterprise Security Content Update (ESCU) v3.54.0