Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a field from multi valued event?

jkirankumar1993
New Member
‎03-02-2018 10:12 AM

Hi,

This is the sample event

GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...

When I use regular expression I am getting the value from the first line but not from the other lines. I want to capture the fields that start after INFO.getCustomFieldValues(): field.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-02-2018 10:44 AM

@jkirankumar1993, you would need to use max_match=0 to fetch multiple values for the multi-valued field extraction using rex command. Try the following run anywhere search based on sample data provided:

| makeresults
| eval _raw="GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was..."
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-02-2018 10:44 AM

@jkirankumar1993, you would need to use max_match=0 to fetch multiple values for the multi-valued field extraction using rex command. Try the following run anywhere search based on sample data provided:

| makeresults
| eval _raw="GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was..."
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jkirankumar1993
New Member
‎03-02-2018 11:10 AM

Your query worked great for this single event. But, I have series of events and i want to extract these values as a field so that I can make a report

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-04-2018 05:21 AM

Try adding mvexpand to your query to expand the multiple values of that is what you want.

<yourBaseSearch>
| fields _raw
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0
| mvexpand myField 
| table myField
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jkirankumar1993
New Member
‎03-05-2018 07:53 AM

Worked Great. Thanks a lot

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-05-2018 07:57 AM

Glad you found it working. Please up vote the comments that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jkirankumar1993
New Member
‎03-02-2018 11:07 AM

I have series of events like this. I want to extract field called "custom_field" from all these multi valued events.

Example or sample output of extracted field:

AE Test Fail
AE Testing in Progress
Activating
.............
.............

Note: I dont have access to any config files. So, can you tell any regular expression to capture all those values?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...