Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to expand multivalue fields after using streamstats command?

like2splunk
Explorer
‎04-11-2017 02:10 AM

Hello, I am trying to figure out how to expand multivalue fields after using the streamstats command.
I have an event called "Set Range" that happens frequently and sometimes there is an error after this event happens.
Occasionally there are multiple errors following a "Set Range" event.
There is useful information that I want to extract from the "Set Range" event and correlate to the respective error(s).
My search is below in ITALICS:

index="logs" process=beamCommonProcess
"Transitioned to Error State" OR "SET_RANGE activity requested for beam supply point" OR "DISABLE_BEAM activity is complete" OR "ENABLE_BEAM activity requested" OR "beam allocated to" OR "beam deallocated from"
| reverse
| streamstats count(eval(searchmatch("SET_RANGE activity requested for beam supply point"))) AS SessionID
| stats min(_time) AS _time count(eval(searchmatch("Transitioned to Error State"))) AS error_count count(eval(searchmatch("Beam allocated to"))) AS endbeam_count list(_raw) AS _raw BY SessionID
| search error_count>0
| rex "RCU Error: .?Submap: \d+\s*((?.?):"
| eval output = if(output="Device","Device Overrange",output)
| table _time SessionID rcu_msg

An example of the subsequent results is in the screenshot below (also attached):
alt text

As you can see, in some cases there are multiple "rcu_msg" events for the same SessionID.
What I want is to expand such message groups into individual line items.
In other words, instead of 6 lines with some groups as shown in the screenshot, I want 9 individual lines each correlated to their respective SessionID. Thereafter I'm going to REX the useful information, but I can't do so until the multivalue fields are expanded.
I tried mvexpand _raw but this did not do anything.

PLEASE HELP!

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfuente
Motivator
‎04-11-2017 02:24 AM

Hello

You need to use the mvexpand command, but using the rcu_msg field, example:

... | mvexpand rcu_msg | ...

Regards

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-11-2017 02:30 AM

@like2splunk... if you perform field extraction for rcu_msg ideally through Field Extraction Knowledge Object or in your example using rex command, you ca use the same in stats directly

 <Your Base Search>
|<Your rex command for rcu_msg>
| stats min(_time) AS _time count(eval(searchmatch("Transitioned to Error State"))) AS error_count count(eval(searchmatch("Beam allocated to"))) AS endbeam_count list(_raw) AS _raw BY SessionID, rcu_msg
| table _time SessionID rcu_msg
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

gfuente
Motivator
‎04-11-2017 02:24 AM

Hello

You need to use the mvexpand command, but using the rcu_msg field, example:

... | mvexpand rcu_msg | ...

Regards

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎04-11-2017 05:06 AM

you'd want to use |fillnull rcu_msg value="N/A" first, though, I believe for that blank row.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...