Splunk Search

How to expand events that contain multivalue fields into separate events with unique field value pairs?

chvnc
Explorer

The problem here is my actual events are as below
1.event_id=1 name1=x name2=y name3=z responsetime1=4 responsetime2=5 responsetime3=6
2.event_id=2 name1=a name2=b name3=c responsetime1=7 responsetime3=8 responsetime3=9

I need something like this

events
1.event_id=1 name=x responsetime=4
2.event_id=1 name=y responsetime=5
3.event_id=1 name=z responsetime=6
4.event_id=2 name=a responsetime=7
5.event_id=2 name=b responsetime=8
6.event_id=2 name=c responsetime=9

0 Karma

sundareshr
Legend

See if this works

base search 
| rex field=x max_match=0 "event_id=(?<event_id>\d+)" 
| rex field=x max_match=0 "name\d=(?<name>\w+)" 
| rex field=x max_match=0 "responsetime\d=(?<responsetime>\d+)" 
| eval z=mvzip(name, responsetime) 
| mvexpand z 
| rex field=z "(?<name>[^,]+),(?<responsetime>.*)" 
| streamstats count as event_id 
| table event_id name responsetime
0 Karma

chvnc
Explorer

The problem here is my actual events are as below
1.event_id=1 name1=x name2=y name3=z responsetime1=4 responsetime2=5 responsetime3=6
2.event_id=2 name1=a name2=b name3=c responsetime1=7 responsetime3=8 responsetime3=9

I need something like this

events
1.event_id=1 name=x responsetime=4
2.event_id=1 name=y responsetime=5
3.event_id=1 name=z responsetime=6
4.event_id=2 name=a responsetime=7
5.event_id=2 name=x responsetime=8
6.event_id=2 name=x responsetime=9

0 Karma

sundareshr
Legend

Try updated ans

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...