Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find the last regex match for a multi-valued field in a transaction

responsys_cm
Builder
‎06-13-2013 06:13 PM

We're finding that when large files are downloaded from the Internet, the application whitelisting client reports a "new file" with a different hash multiple times as the download completes.

I essentially want to dedup the events by host, file, path but only over a very limited time window (like 5 minutes). If I use transaction to group those events and it puts the values of the file hash in a multi-value field (in time order, not sort order I believe), how do I extract just that last hash?

Or is there some way to combine dedup and bins or something like that.

Thanks.

C

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎06-13-2013 11:09 PM

How about using bucket (aka bin) and stats instead?

... | bucket _time span=5m | stats last(hash) by _time

If you still want to go the transaction / mvfield route you could probably reach some success by using eval's mvindex function (an index of "-1" returns the last item in the list).

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎06-13-2013 11:09 PM

How about using bucket (aka bin) and stats instead?

... | bucket _time span=5m | stats last(hash) by _time

If you still want to go the transaction / mvfield route you could probably reach some success by using eval's mvindex function (an index of "-1" returns the last item in the list).

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-17-2013 12:56 PM

over all events. But if you do a

... | dedup hash _time | ...

you'll dedup the combination of the fields, so in this case you'll get one hash per bucket of time.

/K

0 Karma
Reply
Solved! Jump to solution

responsys_cm
Builder
‎06-17-2013 12:39 PM

Thanks, Ayn! Quick question, if I run dedup after the bucket command, will Splunk only dedup events in each bucket or will it dedup over all events?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...