Splunk Search

How to consolidate events into one event by using a multi-value field to lookup values?

jdschmitz
New Member

Trying to take a multi-value field using that to lookup values then placing the return information into the correct field without making an new event. I have a field that has up to 4 references to labels that I can use the lookup command to find. I have used makemv delim =',' to break out any of the label references and then used that data to search a lookup table. The issue is that each lookup creates a new event with that retrieved lookup as the new entry on the event. The next label in the multi-value field will create another new entry. This happens for each label in the multi-value field. I want to take each of these new events and then consolidate them into one event. The label lookup will provide a KEY and the VALUE. I use case to put the LABEL into the new field based on the KEY.

|script getallworkloads.wrapper|table href labels os_detail agent| rex field=os_detail \((?.+)\)|  rex field=agent agent_version('.*?)'(?.*?)' |rex field=href "\/orgs\/1\/workloads\/(?.*)"|makemv delim="," labels|rex field=labels "(?\/orgs\/1\/labels\/\d+)'}" | mvexpand label| lookup getLabels href as label OUTPUT| eval app=case(key="app", value)|eval role=case(key="role", value)|eval loc=case(key="loc", value)|eval env=case(key="env", value)| table  workload_uuid os_detail agent_version, role,app,env,loc |outputlookup illumioLabels.csv

and this is an example of the output.

workload_uuid os_detail agent_version role app env loc
87b4d708-38cd-4488-9ca9-662f4e601ff5 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Development

87b4d708-38cd-4488-9ca9-662f4e601ff5 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 US
87b4d708-38cd-4488-9ca9-662f4e601ff5 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 AppX

87b4d708-38cd-4488-9ca9-662f4e601ff5 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Role1

47a7ff97-a742-4d0d-bee5-f4cb9157ea65 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Development

47a7ff97-a742-4d0d-bee5-f4cb9157ea65 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 US
47a7ff97-a742-4d0d-bee5-f4cb9157ea65 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 AppX

47a7ff97-a742-4d0d-bee5-f4cb9157ea65 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Role3

Looking for away to make the data look like this:

workload_uuid os_detail agent_version role app env loc

87b4d708-38cd-4488-9ca9-662f4e601ff5 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Role1 AppX Development US

47a7ff97-a742-4d0d-bee5-f4cb9157ea65 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Role3 AppX Development US

0 Karma

sundareshr
Legend

Try this

|script getallworkloads.wrapper|table href labels os_detail agent| rex field=os_detail \((?.+)\)|  rex field=agent agent_version('.*?)'(?.*?)' |rex field=href "\/orgs\/1\/workloads\/(?.*)"|makemv delim="," labels|rex field=labels "(?\/orgs\/1\/labels\/\d+)'}" | mvexpand label| lookup getLabels href as label OUTPUT| eval app=case(key="app", value)|eval role=case(key="role", value)|eval loc=case(key="loc", value)|eval env=case(key="env", value)| stats valeus(workload_uuid) as workload_uuid valeus(os_detail) as os_detail, values(agent_version) as agent_version, by env loc app role |outputlookup illumioLabels.csv
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...