Hi @richgalloway ,

when i copy your code directly it works well, and is exactly what i want.

but when i use the actual data i got it working till the last '| eval result=group . "," . node'. it does not seem to provide any output as shown below in RESULT. .

im thinking maybe cause it has spaces in between the original one?

here is the output of the result.

splunk i think reformats and removes some of the tabs/spaces in between the original.

| rex field=Redundancy_group mode=sed "s/\n\n/\n/g"
| rex field=Redundancy_group max_match=0 "(?<group>Redundancy.*)"
| rex field=Redundancy_group max_match=0 "(?<node>node.*)"
| filldown group
| where isnotnull(node)
| eval result=group . "," . group
|table group node result

group node result

The difference in our queries is yours is trying to work with multi-value fields.  MV fields don't behave the same as single-value fields, which is why you get different results.

Can you please provide a more realistic example of the data (sanitized, of course) so we can offer something that might work?

@richgalloway 

here you go.

Nov 27 13:36:45
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring RE Relinquish monitoring
IS IRQ storm

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 0
node0 200 primary no no None
node1 2 secondary no no None

Redundancy group: 1 , Failover count: 2
node0 200 primary no no None
node1 20 secondary no no None

Redundancy group: 2 , Failover count: 2
node0 200 primary no no None
node1 2 secondary no no None

{primary:node0}

What about the current SPL and the desired output?

the SPL is a mixture of your suggested but i just made a few modification (which is probably all wrong) lol

| rex field="show chassis cluster status _ no_more" max_match=0 "(?s)Monitor-failures[\n][\n](?<Redundancy_group>.*)[\n][\n]"
| fields Redundancy_group
| rex "(?<group>Redundancy.*)"
| rex "(?<node>node.*)"
| filldown group
| where isnotnull(node)
| eval result=group . "," . group
|table group node result

desired result is still the original 🙂 desired result.

Redundancy group: 0 , Failover count: 0,node0 200 primary no no None
Redundancy group: 0 , Failover count: 0,node1 2 secondary no no None
Redundancy group: 1 , Failover count: 0,node0 200 primary no no None
Redundancy group: 1 , Failover count: 0,node1 2 secondary no no None
Redundancy group: 2 , Failover count: 0,node0 200 primary no no None
Redundancy group: 2 , Failover count: 0,node1 2 secondary no no None

@richgalloway 

hi rich, im sorry, i tried to use exact code you gave and it didnt work, so i kinda tried some other stuff. as far as the data. it is what i sent. attach is the image.

but when i try to use yours which looks similar/identical to the one here its not. i am thinking its something to do with the formatting of splunk when i paste the output here.

I can't do anything with a screenshot other than see you have a lot of information in one multi-value field.

Let's step back and look at how this result was produced.  Perhaps if another approach is used we can get the desired result.

Please share the raw data, the current SPL, and the desired output.

hi @richgalloway that is correct.

its basically just node0 and node1 because its below redundancy group0 for example.

so each redudancy group 1,2,3 has their own Node0 and Node1 output. would simply want to group them in 1 line.

hope it makes sense.