Splunk Search

How to consolidate events into one event by using a multi-value field to lookup values?

New Member

Trying to take a multi-value field using that to lookup values then placing the return information into the correct field without making an new event. I have a field that has up to 4 references to labels that I can use the lookup command to find. I have used makemv delim =',' to break out any of the label references and then used that data to search a lookup table. The issue is that each lookup creates a new event with that retrieved lookup as the new entry on the event. The next label in the multi-value field will create another new entry. This happens for each label in the multi-value field. I want to take each of these new events and then consolidate them into one event. The label lookup will provide a KEY and the VALUE. I use case to put the LABEL into the new field based on the KEY.

|script getallworkloads.wrapper|table href labels os_detail agent| rex field=os_detail \((?.+)\)|  rex field=agent agent_version('.*?)'(?.*?)' |rex field=href "\/orgs\/1\/workloads\/(?.*)"|makemv delim="," labels|rex field=labels "(?\/orgs\/1\/labels\/\d+)'}" | mvexpand label| lookup getLabels href as label OUTPUT| eval app=case(key="app", value)|eval role=case(key="role", value)|eval loc=case(key="loc", value)|eval env=case(key="env", value)| table  workload_uuid os_detail agent_version, role,app,env,loc |outputlookup illumioLabels.csv

and this is an example of the output.

workload_uuid os_detail agent_version role app env loc
87b4d708-38cd-4488-9ca9-662f4e601ff5 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Development

87b4d708-38cd-4488-9ca9-662f4e601ff5 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 US
87b4d708-38cd-4488-9ca9-662f4e601ff5 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 AppX

87b4d708-38cd-4488-9ca9-662f4e601ff5 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Role1

47a7ff97-a742-4d0d-bee5-f4cb9157ea65 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Development

47a7ff97-a742-4d0d-bee5-f4cb9157ea65 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 US
47a7ff97-a742-4d0d-bee5-f4cb9157ea65 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 AppX

47a7ff97-a742-4d0d-bee5-f4cb9157ea65 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Role3

Looking for away to make the data look like this:

workload_uuid os_detail agent_version role app env loc

87b4d708-38cd-4488-9ca9-662f4e601ff5 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Role1 AppX Development US

47a7ff97-a742-4d0d-bee5-f4cb9157ea65 CentOS Linux release 7.2.1511 (Core) 16.6.0-20160713085930 Role3 AppX Development US

0 Karma

Legend

Try this

|script getallworkloads.wrapper|table href labels os_detail agent| rex field=os_detail \((?.+)\)|  rex field=agent agent_version('.*?)'(?.*?)' |rex field=href "\/orgs\/1\/workloads\/(?.*)"|makemv delim="," labels|rex field=labels "(?\/orgs\/1\/labels\/\d+)'}" | mvexpand label| lookup getLabels href as label OUTPUT| eval app=case(key="app", value)|eval role=case(key="role", value)|eval loc=case(key="loc", value)|eval env=case(key="env", value)| stats valeus(workload_uuid) as workload_uuid valeus(os_detail) as os_detail, values(agent_version) as agent_version, by env loc app role |outputlookup illumioLabels.csv
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!