- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to make a table with multiple multivalue field...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to make a table with multiple multivalue fields?
I need to make a table with some information from events.
my event looks like:
[timestamp][some info]
[function_name_1][id_1][param_1][result_1]
[function_name_2][id_2][param_2][result_2]
[function_name_3][id_3][param_3][result_3]
...
[function_name_n][id_n][param_n][result_n]
Because my regexp only found the first occurance of the fields(function_name,id,param,result) so I used MV_ADD for all multivalue fields and now it finds all occurences.
My table should looks like:
index |timestamp |some_info |function_name |id |param |result
1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1
2 |timestamp |some_info |function_name_2|id_2 |param_2|result_2
3 |timestamp |some_info |function_name_3|id_3 |param_3|result_3
4 |timestamp |some_info |function_name_4|id_4 |param_4|result_4
problem is with multivalue fields, for the last 4 column in one record I've got couple values and my table looks like:
index |timestamp |some_info |function_name |id |param |result
1 |timestamp |some_info |function_name_1|id_1|param_1|result_1
| | |function_name_2|id_2|param_2|result_2
| | |function_name_3|id_3|param_3|result_3
| | |function_name_4|id_4|param_4|result_4
2 |timestamp |some_info |function_name_1|id_1 |param_1|result_1
| | |function_name_2|id_2 |param_2|result_2
| | |function_name_3|id_3 |param_3|result_3
| | |function_name_4|id_4 |param_4|result_4
I read about mvexpand command but it doesn't work good with multiple multivalue fields.
after mvcommand for all multivalue fields I've got:
index |timestamp |some_info |function_name |id |param |result
1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1
2 |timestamp |some_info |function_name_1|id_1 |param_1|result_2
3 |timestamp |some_info |function_name_1|id_1 |param_1|result_3
4 |timestamp |some_info |function_name_1|id_1 |param_1|result_4
5 |timestamp |some_info |function_name_1|id_1 |param_2|result_1
6 |timestamp |some_info |function_name_1|id_1 |param_2|result_2
7 |timestamp |some_info |function_name_1|id_1 |param_2|result_3
8 |timestamp |some_info |function_name_1|id_1 |param_2|result_4
9 |timestamp |some_info |function_name_1|id_1 |param_3|result_1
10 |timestamp |some_info |function_name_1|id_1 |param_3|result_2
11 |timestamp |some_info |function_name_1|id_1 |param_3|result_3
...
(n-1) |timestamp |some_info |function_name_4|id_4 |param_4|result_3
n |timestamp |some_info |function_name_4|id_4 |param_4|result_4
My last query looks like:
"table _time some_info function_name id param result | mvexpand function_name| mvexpand id|mvexpand param |mvexpand result"
Could any one help me with this situation.
Thanks,
Adrian.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would try to use spath, output the result in a field, and do an mvexpand on that...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure to understand your problem, I've done something similar with xml.
In your case, maybe you should extract all information as one field (lets say eField) " |function_name_1|id_1 |param_1|result_1", then mvexpand, and only after that, extract fields out of this eField
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried that. mvexpand is giving each field as one line as
P_NAME P_value
p1 m1
p2 m2
p3 m3
But I cannot figure out how to do one to one mapping of P_NAME and P_ID as I need to draw a chart like
chart first(P_value) over _time by P_NAME
Please help.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did You find any solution..Looks like nobody answering multiple multivalued field.I am stucked with the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi aadrian,
I am facing a similiar situation, have you got a solution to this?? even i am struggling to do the same.
Thnx
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
