Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to split multiply case number in same field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi fellow splunkers!
I have a transaction that return case number in several scenarios. That is working perfectly where event has one case number. My chalenge is a application delete bulk function. My query with regex is matcing case number, but is returning all bulk case number in same field.
Query:
... | transaction pid maxspan=1s startswith=eval(match(_raw,"Processing TicketMultiactionController")) endswith=eval(match(_raw,"Completed"))
Output:
jan 15 08:55:02 10.246.31.18 xx[11138]: Processing TicketMultiactionController#update (for 172.18.209.36 at 2018-01-15 08:55:02) [POST] Jan 15 08:55:02 10.246.31.18 xx[11138]: Parameters: {"multiaction_idbox"=>" **344411 344409 344407**", "scope"=>"", "multiaction_markasdeleted"=>"1", "multiaction_owner"=>"", "multiaction_parentticket"=>"", "multiaction_monitor"=>""}
Example: casenr = 344411 344409 344407
How can I change this to "split" this deleted number into one event each ?
Regards
SRD
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey you can try something like this as well
Try this run anywhere search
| makeresults
| eval casenr="344411 344409 344407"
| makemv casenr
| mvexpand casenr
If you want to make use this in your current search
<your_base_Search>| makemv casenr | mvexpand casenr
You need to have a field called casenr to use with mvexpand in which this pattern of numbers are there.
Let me know if this helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey you can try something like this as well
Try this run anywhere search
| makeresults
| eval casenr="344411 344409 344407"
| makemv casenr
| mvexpand casenr
If you want to make use this in your current search
<your_base_Search>| makemv casenr | mvexpand casenr
You need to have a field called casenr to use with mvexpand in which this pattern of numbers are there.
Let me know if this helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It`s work perfectly mayurr98 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@steinroardahl, Try the following:
<YourCurrentSearch>
| eval casenr=split(casenr," ")
| mvexpand casenr
Following is the run anywhere example based on your sample data:
| makeresults
| eval casenr="344411 344409 344407"
| eval casenr=split(casenr," ")
| mvexpand casenr
PS: Also explore feasibility of use of stats instead of transsaction for query performance improvement.
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
