How to put extracted REX values in single row in t...

mrunalaghara · ‎03-01-2022

I am performing theSplunk query on following result, The following field repeats 100 times with different values

randomstring=randomstring&firstRex=firstRexValue&anotherradomstring=antotherrandomstring&secondRex=secondrexvalue&somotherstuff=someotherstuffvalue&yetanotherstuff=yetanotherstuffvalue&thirdRex=thirdrexvalue

the Splunk query is as below.

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+)"
| rex "secondRex=(?<value2>[^&]+)" 
| rex "thirdRex=(?<value3>[^&]+)" 
| transaction value1
| table value2 value3

Now when I do table, the value2 and value3 doesn't seems connected. I mean the column value2 has 5 rows while column value3 has 7 rows for example.

Further, I would also like to add date for each event in the table, how can I do it?

and I would need your suggestion to perform regex in single rex query instead of three 🙂

ITWhisperer · ‎03-01-2022

Are the values always present?

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+).+secondRex=(?<value2>[^&]+).+thirdRex=(?<value3>[^&]+)" 
| stats list(value2) as value2 list(value3) as value3 by value1

mrunalaghara · ‎03-01-2022

Thanks for your reply, but doesn't make any change 😞

ITWhisperer · ‎03-01-2022

Well, you haven't really answered the question - are these values present (in every event)?

Another question: what would your expected results look like?

mrunalaghara · ‎03-01-2022

Yes, these values present in all the events. I expect the answer to look like below table. The values of each transaction based on value3 should be combined. Each transaction may have 1 to 15 events. But they all have unique Value3

-----------------------------

firstRexValue1FirstTransaction

firstRexValue2FirstTransaction

firstRexValue3FirstTransaction

firstRexValue4FirstTransaction

firstRexValue5FirstTransaction

secondRexValue1FirstTransaction

secondRexValue2FirstTransaction

secondRexValue3FirstTransaction

secondRexValue4FirstTransaction

secondRexValue5FirstTransaction

firstRexValue1SecondTransaction

firstRexValue2SecondTransaction

firstRexValue3SecondTransaction

secondRexValue1SecondTransaction

secondRexValue2SecondTransaction

secondRexValue3SecondTransaction

firstRexValue1ThirdTransaction

firstRexValue2ThirdTransaction

firstRexValue3ThirdTransaction

firstRexValue4ThirdTransaction

secondRexValue1ThirdTransaction

secondRexValue2 secondRexValue3

secondRexValue3 secondRexValue3

ITWhisperer · ‎03-01-2022

So, value3 is the (common/linking) transaction id?

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+).+secondRex=(?<value2>[^&]+).+thirdRex=(?<value3>[^&]+)" 
| stats list(value1) as value1 list(value2) as value2 by value3

mrunalaghara · ‎03-01-2022

Yes Value3 is common transaction id

somesoni2 · ‎03-01-2022

See if this helps:

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+)"
| rex "secondRex=(?<value2>[^&]+)" 
| rex "thirdRex=(?<value3>[^&]+)" 
| transaction value1
| table value2 value3 
| nomv value2 | nomv value3

mrunalaghara · ‎03-01-2022

Thank you for your reply. but nomv value3 is combining the values... they are very hard to distinguish as it presents like a paragraph.

How to put extracted REX values in single row in table while using transaction?

regex

table

transaction

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?