Splunk Search

How to put extracted REX values in single row in table while using transaction?

mrunalaghara
Loves-to-Learn

 I am performing theSplunk query on following result, The following field repeats 100 times with different values

randomstring=randomstring&firstRex=firstRexValue&anotherradomstring=antotherrandomstring&secondRex=secondrexvalue&somotherstuff=someotherstuffvalue&yetanotherstuff=yetanotherstuffvalue&thirdRex=thirdrexvalue

the Splunk query is as below.

 

 

 

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+)"
| rex "secondRex=(?<value2>[^&]+)" 
| rex "thirdRex=(?<value3>[^&]+)" 
| transaction value1
| table value2 value3 

 

 

 

 

Now when I do table, the value2 and value3 doesn't seems connected.  I mean the column value2 has 5 rows while column value3 has 7 rows for example.

Further, I would also like to add date for each event in the table, how can I do it?

and I would need your suggestion to perform regex in single rex query instead of three :slightly_smiling_face:

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Are the values always present?

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+).+secondRex=(?<value2>[^&]+).+thirdRex=(?<value3>[^&]+)" 
| stats list(value2) as value2 list(value3) as value3 by value1
0 Karma

mrunalaghara
Loves-to-Learn

Thanks for your reply, but doesn't make any change :disappointed_face:

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Well, you haven't really answered the question - are these values present (in every event)?

Another question: what would your expected results look like?

0 Karma

mrunalaghara
Loves-to-Learn

Yes, these values present in all the events. I expect the answer to look like below table. The values of each transaction based on value3 should be combined. Each transaction may have 1 to 15 events. But they all have unique Value3

-----------------------------

firstRexValue1FirstTransaction       

firstRexValue2FirstTransaction         

firstRexValue3FirstTransaction        

firstRexValue4FirstTransaction       

firstRexValue5FirstTransaction     

 secondRexValue1FirstTransaction  

 secondRexValue2FirstTransaction  

 secondRexValue3FirstTransaction  

secondRexValue4FirstTransaction  

secondRexValue5FirstTransaction  

firstRexValue1SecondTransaction        

firstRexValue2SecondTransaction       

firstRexValue3SecondTransaction   

secondRexValue1SecondTransaction

 secondRexValue2SecondTransaction

 secondRexValue3SecondTransaction

firstRexValue1ThirdTransaction      

firstRexValue2ThirdTransaction         

firstRexValue3ThirdTransaction        

firstRexValue4ThirdTransaction     

secondRexValue1ThirdTransaction

 secondRexValue2 secondRexValue3

 secondRexValue3 secondRexValue3
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, value3 is the (common/linking) transaction id?

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+).+secondRex=(?<value2>[^&]+).+thirdRex=(?<value3>[^&]+)" 
| stats list(value1) as value1 list(value2) as value2 by value3
0 Karma

mrunalaghara
Loves-to-Learn

Yes Value3 is common transaction id

0 Karma

somesoni2
Revered Legend

See if this helps:

source="source" searchquery
| rex "firstRex=(?<value1>[^&]+)"
| rex "secondRex=(?<value2>[^&]+)" 
| rex "thirdRex=(?<value3>[^&]+)" 
| transaction value1
| table value2 value3 
| nomv value2 | nomv value3
0 Karma

mrunalaghara
Loves-to-Learn

Thank you for your reply. but nomv value3 is combining the values... they are very hard to distinguish as it presents like a paragraph.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...