Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to make a table with multiple multivalue f...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to make a table with multiple multivalue fields?
aadrian
Engager
08-10-2012
03:25 AM
I need to make a table with some information from events.
my event looks like:
[timestamp][some info]
[function_name_1][id_1][param_1][result_1]
[function_name_2][id_2][param_2][result_2]
[function_name_3][id_3][param_3][result_3]
...
[function_name_n][id_n][param_n][result_n]
Because my regexp only found the first occurance of the fields(function_name,id,param,result) so I used MV_ADD for all multivalue fields and now it finds all occurences.
My table should looks like:
index |timestamp |some_info |function_name |id |param |result
1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1
2 |timestamp |some_info |function_name_2|id_2 |param_2|result_2
3 |timestamp |some_info |function_name_3|id_3 |param_3|result_3
4 |timestamp |some_info |function_name_4|id_4 |param_4|result_4
problem is with multivalue fields, for the last 4 column in one record I've got couple values and my table looks like:
index |timestamp |some_info |function_name |id |param |result
1 |timestamp |some_info |function_name_1|id_1|param_1|result_1
| | |function_name_2|id_2|param_2|result_2
| | |function_name_3|id_3|param_3|result_3
| | |function_name_4|id_4|param_4|result_4
2 |timestamp |some_info |function_name_1|id_1 |param_1|result_1
| | |function_name_2|id_2 |param_2|result_2
| | |function_name_3|id_3 |param_3|result_3
| | |function_name_4|id_4 |param_4|result_4
I read about mvexpand command but it doesn't work good with multiple multivalue fields.
after mvcommand for all multivalue fields I've got:
index |timestamp |some_info |function_name |id |param |result
1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1
2 |timestamp |some_info |function_name_1|id_1 |param_1|result_2
3 |timestamp |some_info |function_name_1|id_1 |param_1|result_3
4 |timestamp |some_info |function_name_1|id_1 |param_1|result_4
5 |timestamp |some_info |function_name_1|id_1 |param_2|result_1
6 |timestamp |some_info |function_name_1|id_1 |param_2|result_2
7 |timestamp |some_info |function_name_1|id_1 |param_2|result_3
8 |timestamp |some_info |function_name_1|id_1 |param_2|result_4
9 |timestamp |some_info |function_name_1|id_1 |param_3|result_1
10 |timestamp |some_info |function_name_1|id_1 |param_3|result_2
11 |timestamp |some_info |function_name_1|id_1 |param_3|result_3
...
(n-1) |timestamp |some_info |function_name_4|id_4 |param_4|result_3
n |timestamp |some_info |function_name_4|id_4 |param_4|result_4
My last query looks like:
"table _time some_info function_name id param result | mvexpand function_name| mvexpand id|mvexpand param |mvexpand result"
Could any one help me with this situation.
Thanks,
Adrian.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbsbb
Builder
01-21-2013
11:09 PM
I would try to use spath, output the result in a field, and do an mvexpand on that...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbsbb
Builder
01-22-2013
12:06 AM
I'm not sure to understand your problem, I've done something similar with xml.
In your case, maybe you should extract all information as one field (lets say eField) " |function_name_1|id_1 |param_1|result_1", then mvexpand, and only after that, extract fields out of this eField
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
disha
Contributor
01-21-2013
11:16 PM
I have tried that. mvexpand is giving each field as one line as
P_NAME P_value
p1 m1
p2 m2
p3 m3
But I cannot figure out how to do one to one mapping of P_NAME and P_ID as I need to draw a chart like
chart first(P_value) over _time by P_NAME
Please help.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
disha
Contributor
01-21-2013
02:08 PM
Did You find any solution..Looks like nobody answering multiple multivalued field.I am stucked with the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adityapavan18
Contributor
09-20-2012
06:58 AM
Hi aadrian,
I am facing a similiar situation, have you got a solution to this?? even i am struggling to do the same.
Thnx
Get Updates on the Splunk Community!
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
