How to put extracted REX values in single row in t...

mrunalaghara · ‎03-01-2022

I am performing theSplunk query on following result, The following field repeats 100 times with different values

randomstring=randomstring&firstRex=firstRexValue&anotherradomstring=antotherrandomstring&secondRex=secondrexvalue&somotherstuff=someotherstuffvalue&yetanotherstuff=yetanotherstuffvalue&thirdRex=thirdrexvalue

the Splunk query is as below.

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+)"
| rex "secondRex=(?<value2>[^&]+)" 
| rex "thirdRex=(?<value3>[^&]+)" 
| transaction value1
| table value2 value3

Now when I do table, the value2 and value3 doesn't seems connected. I mean the column value2 has 5 rows while column value3 has 7 rows for example.

Further, I would also like to add date for each event in the table, how can I do it?

and I would need your suggestion to perform regex in single rex query instead of three 🙂

ITWhisperer · ‎03-01-2022

Are the values always present?

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+).+secondRex=(?<value2>[^&]+).+thirdRex=(?<value3>[^&]+)" 
| stats list(value2) as value2 list(value3) as value3 by value1

mrunalaghara · ‎03-01-2022

Thanks for your reply, but doesn't make any change 😞

ITWhisperer · ‎03-01-2022

Well, you haven't really answered the question - are these values present (in every event)?

Another question: what would your expected results look like?

mrunalaghara · ‎03-01-2022

Yes, these values present in all the events. I expect the answer to look like below table. The values of each transaction based on value3 should be combined. Each transaction may have 1 to 15 events. But they all have unique Value3

-----------------------------

firstRexValue1FirstTransaction

firstRexValue2FirstTransaction

firstRexValue3FirstTransaction

firstRexValue4FirstTransaction

firstRexValue5FirstTransaction

secondRexValue1FirstTransaction

secondRexValue2FirstTransaction

secondRexValue3FirstTransaction

secondRexValue4FirstTransaction

secondRexValue5FirstTransaction

firstRexValue1SecondTransaction

firstRexValue2SecondTransaction

firstRexValue3SecondTransaction

secondRexValue1SecondTransaction

secondRexValue2SecondTransaction

secondRexValue3SecondTransaction

firstRexValue1ThirdTransaction

firstRexValue2ThirdTransaction

firstRexValue3ThirdTransaction

firstRexValue4ThirdTransaction

secondRexValue1ThirdTransaction

secondRexValue2 secondRexValue3

secondRexValue3 secondRexValue3

ITWhisperer · ‎03-01-2022

So, value3 is the (common/linking) transaction id?

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+).+secondRex=(?<value2>[^&]+).+thirdRex=(?<value3>[^&]+)" 
| stats list(value1) as value1 list(value2) as value2 by value3

mrunalaghara · ‎03-01-2022

Yes Value3 is common transaction id

somesoni2 · ‎03-01-2022

See if this helps:

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+)"
| rex "secondRex=(?<value2>[^&]+)" 
| rex "thirdRex=(?<value3>[^&]+)" 
| transaction value1
| table value2 value3 
| nomv value2 | nomv value3

mrunalaghara · ‎03-01-2022

Thank you for your reply. but nomv value3 is combining the values... they are very hard to distinguish as it presents like a paragraph.

How to put extracted REX values in single row in table while using transaction?

regex

table

transaction

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?