Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to make a table with multiple multivalue fields?

aadrian
Engager
‎08-10-2012 03:25 AM

I need to make a table with some information from events.

my event looks like:

[timestamp][some info]

[function_name_1][id_1][param_1][result_1]

[function_name_2][id_2][param_2][result_2]

[function_name_3][id_3][param_3][result_3]

...

[function_name_n][id_n][param_n][result_n]

Because my regexp only found the first occurance of the fields(function_name,id,param,result) so I used MV_ADD for all multivalue fields and now it finds all occurences.

My table should looks like:

index |timestamp |some_info |function_name |id |param |result

1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1

2 |timestamp |some_info |function_name_2|id_2 |param_2|result_2

3 |timestamp |some_info |function_name_3|id_3 |param_3|result_3

4 |timestamp |some_info |function_name_4|id_4 |param_4|result_4

problem is with multivalue fields, for the last 4 column in one record I've got couple values and my table looks like:

index |timestamp |some_info |function_name |id |param |result

1 |timestamp |some_info |function_name_1|id_1|param_1|result_1

| | |function_name_2|id_2|param_2|result_2

| | |function_name_3|id_3|param_3|result_3

| | |function_name_4|id_4|param_4|result_4

2 |timestamp |some_info |function_name_1|id_1 |param_1|result_1

| | |function_name_2|id_2 |param_2|result_2

| | |function_name_3|id_3 |param_3|result_3

| | |function_name_4|id_4 |param_4|result_4

I read about mvexpand command but it doesn't work good with multiple multivalue fields.
after mvcommand for all multivalue fields I've got:

index |timestamp |some_info |function_name |id |param |result

1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1

2 |timestamp |some_info |function_name_1|id_1 |param_1|result_2

3 |timestamp |some_info |function_name_1|id_1 |param_1|result_3

4 |timestamp |some_info |function_name_1|id_1 |param_1|result_4

5 |timestamp |some_info |function_name_1|id_1 |param_2|result_1

6 |timestamp |some_info |function_name_1|id_1 |param_2|result_2

7 |timestamp |some_info |function_name_1|id_1 |param_2|result_3

8 |timestamp |some_info |function_name_1|id_1 |param_2|result_4

9 |timestamp |some_info |function_name_1|id_1 |param_3|result_1

10 |timestamp |some_info |function_name_1|id_1 |param_3|result_2

11 |timestamp |some_info |function_name_1|id_1 |param_3|result_3

...

(n-1) |timestamp |some_info |function_name_4|id_4 |param_4|result_3

n |timestamp |some_info |function_name_4|id_4 |param_4|result_4

My last query looks like:

"table _time some_info function_name id param result | mvexpand function_name| mvexpand id|mvexpand param |mvexpand result"

Could any one help me with this situation.

Thanks,

Adrian.

Reply

sbsbb
Builder
‎01-21-2013 11:09 PM

I would try to use spath, output the result in a field, and do an mvexpand on that...

0 Karma
Reply

sbsbb
Builder
‎01-22-2013 12:06 AM

I'm not sure to understand your problem, I've done something similar with xml.
In your case, maybe you should extract all information as one field (lets say eField) " |function_name_1|id_1 |param_1|result_1", then mvexpand, and only after that, extract fields out of this eField

0 Karma
Reply

disha
Contributor
‎01-21-2013 11:16 PM

I have tried that. mvexpand is giving each field as one line as
P_NAME P_value

p1 m1
p2 m2
p3 m3
But I cannot figure out how to do one to one mapping of P_NAME and P_ID as I need to draw a chart like
chart first(P_value) over _time by P_NAME
Please help.
Thanks

0 Karma
Reply

disha
Contributor
‎01-21-2013 02:08 PM

Did You find any solution..Looks like nobody answering multiple multivalued field.I am stucked with the same.

0 Karma
Reply

adityapavan18
Contributor
‎09-20-2012 06:58 AM

Hi aadrian,

I am facing a similiar situation, have you got a solution to this?? even i am struggling to do the same.

Thnx

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...