Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split multiply case number in same field?

steinroardahl
Observer
‎01-15-2018 12:48 AM

Hi fellow splunkers!

I have a transaction that return case number in several scenarios. That is working perfectly where event has one case number. My chalenge is a application delete bulk function. My query with regex is matcing case number, but is returning all bulk case number in same field.

Query:
... | transaction pid maxspan=1s startswith=eval(match(_raw,"Processing TicketMultiactionController")) endswith=eval(match(_raw,"Completed"))
Output:
jan 15 08:55:02 10.246.31.18 xx[11138]: Processing TicketMultiactionController#update (for 172.18.209.36 at 2018-01-15 08:55:02) [POST] Jan 15 08:55:02 10.246.31.18 xx[11138]: Parameters: {"multiaction_idbox"=>" **344411 344409 344407**", "scope"=>"", "multiaction_markasdeleted"=>"1", "multiaction_owner"=>"", "multiaction_parentticket"=>"", "multiaction_monitor"=>""}

Example: casenr = 344411 344409 344407

How can I change this to "split" this deleted number into one event each ?

Regards
SRD

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-15-2018 04:12 AM

hey you can try something like this as well

Try this run anywhere search

| makeresults 
| eval casenr="344411 344409 344407" 
| makemv casenr 
| mvexpand casenr

If you want to make use this in your current search 

<your_base_Search>| makemv casenr | mvexpand casenr

You need to have a field called casenr to use with mvexpand in which this pattern of numbers are there.

Let me know if this helps you!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-15-2018 04:12 AM

hey you can try something like this as well

Try this run anywhere search

| makeresults 
| eval casenr="344411 344409 344407" 
| makemv casenr 
| mvexpand casenr

If you want to make use this in your current search 

<your_base_Search>| makemv casenr | mvexpand casenr

You need to have a field called casenr to use with mvexpand in which this pattern of numbers are there.

Let me know if this helps you!

0 Karma
Reply
Solved! Jump to solution

steinroardahl
Observer
‎01-15-2018 07:18 AM

It`s work perfectly mayurr98 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-15-2018 03:21 AM

@steinroardahl, Try the following:

<YourCurrentSearch>
| eval casenr=split(casenr," ")
| mvexpand casenr

Following is the run anywhere example based on your sample data:

| makeresults
| eval casenr="344411 344409 344407"
| eval casenr=split(casenr," ")
| mvexpand casenr

PS: Also explore feasibility of use of stats instead of transsaction for query performance improvement.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...