Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to show all values of a field on the same table?

din98
Explorer
‎10-08-2022 04:19 AM
 
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-08-2022 06:27 AM

Hi @din98,

you should explore the use of colesce option in eval command (https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/ConditionalFunctions#coalesce.28X... or https://www.splunk.com/en_us/blog/tips-and-tricks/search-command-coalesce.html?locale=en_us )

something like this:

index=$tnkenvironment$ sourcetype=*json source=*webhook* $tknhost$ Type ="job.*" $tknProcessname$ $tknRobot$ $tknStatus$
| eval 
   'job.created'=coalesce('job.created','job{}.created'),
   'job.stopped'=coalesce('job.stopped','job{}.stopped)'
| table _time ...

Then in addition, son't use the search command after the main search it's slower than put the additional search parameter in the main search.

Thne don't use the asterisk at the beginning od a string because you have low performances, it's better to have a list  using the IN operator.

Then, next time, please, put your search in the message as text not as screenshot, because in this case I have to manually insert it.

Ciao.

Giuseppe

0 Karma
Reply

din98
Explorer
‎10-08-2022 07:20 AM

 ,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-09-2022 02:56 AM

Hi @din98,

no problem, it's a pleasure to help you, only one thing: next time, open a new case for a new answer, don't attach it to another already answered one because you'll have less answers.

anyway, you have to create the conditions you described using eval, so for example:

| eval 'Job.Release.ProcessKey'=if(Type='job.created' OR Type='job.stopped','Job.Release.ProcessKey','Jobs{}.Release.ProcessKey')

you can use if or case to define all your conditions.

One additional thing, avoid to use fields with spaces or special chars (as doc), it's better to rename them before manipulations and calculations

| rename 
   'Job.Release.ProcessKey' AS Job_ProcessKey 
   'Jobs{}.Release.ProcessKey' AS Jobs_ProcessKey 
| eval Job_ProcessKey=if(Type="job.created" OR Type="job.stopped",Job_ProcessKey,Jobs_ProcessKey)

Ciao.

Giuseppe

0 Karma
Reply

din98
Explorer
‎10-11-2022 07:12 AM

,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-11-2022 07:20 AM

Hi @din98,

I don't know all your conditions, It's important for me that you understand the approach, then you can add all the conditions.

If you have an intersting value to add, you can put it with an additional condition.

Ciao.

Giuseppe

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-09-2022 01:38 PM

@din98 As @gcusello mentioned, posting search sample and data sample in text would greatly help other people to help you.  I want to address a more fundamental issue that you need to consider:

Given that Splunk notation jobs{} indicates an array, which could contain multiple elements, e.g.,

_raw_timejob.keyjob.typejobs{}.keyjobs{}.type
{ "job": {"key": "job1", "type": "job.created"}}2022-10-09 13:06:05job1job.created  
{ "job": {"key": "job3", "type": "job.stopped"}}2022-10-09 13:06:50job3job.stopped  
{"jobs": [{"key": "job1", "type": "job.started"}, {"key": "job2", "type": "job.completed"}]}2022-10-09 13:09:31  
job1
job2
job.started
job.completed

If your raw data have such combinations, dereferencing jobs{}.key, etc., directly will give Splunk ambiguous multivalue results.  You may need to detangle the array first, that is, use mvexpand to split jobs{}.

 

index=$tnkenvironment$ sourcetype=*json source=*webhook* $tknhost$ Type ="job.*" $tknProcessname$ $tknRobot$ $tknStatus$
| spath input=data path=jobs{} ``` extract the array as unitary field ```
| mvexpand jobs{} ``` creates an event for each element in array ```
| spath input=jobs{} ``` extract nodes in array element ```
| foreach jobs{}.* ``` iterate over each node ```
    [eval <<MATCHSTR>> = coalesce(<<MATCHSTR>>, 'job.<<MATCHSTR>>')]
| fields - jobs.* jobs{}.*

 

This way, each element in the array will be tabulated separately, and all JSON nodes can be coalesced without explicitly naming each of them.  Using the above data as example, you'll get

_timekeytype
2022-10-09 13:06:05job1job.created
2022-10-09 13:06:50job3job.stopped
2022-10-09 13:09:31job1job.started
2022-10-09 13:09:31job2job.completed

Whether you use mvexpand depends on your presentation style, of course.  But if you want to further perform statistics on the output, or to use drilldown on any of job attributes, mvexpand will be necessary.

Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2022 04:52 AM

You can either just list all the fields in the table command and sometimes they will be null (shown as blank) and other times they will have values, or you can use an eval with an if function or coalesce command to place the values in another field depending on the job type.

Reply

din98
Explorer
‎10-08-2022 06:04 AM

,




0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2022 06:13 AM

use single quotes around field names (double quotes are for strings)

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...