Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to split single multivalue event into mult...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ERFFFFF
Explorer
07-26-2022
04:57 AM
Hello everyone !
I'm trying to split a single multivalue event into multiple multivalue events.
Here is my base search :
sourcetype="xxxx"
| transaction clientip source id maxspan=5m startswith="yesorno=yes" endswith="event=connected" keepevicted=true mvlist=true,responsetime,status,yesorno,clientip,event,_time
| sort _time
| eval MergedColumns=responsetime . " " . yesorno
| stats list(event) as event, list(MergedColumns) as MergedColumns, list(responsetime) as responsetime, by yesorno, clientip, id
| where !(event=="connected")
| table MergedColumns source clientip
Unfortunately, i am obliged to use a transaction here and not the stats command.
Here is my data :
| MergedColumns | source | clientip |
|
10 yes
510 no
348 no
50886 no
|
username1
|
xxx.xxx.xxx.xxx
|
|
10 yes
513 no
1239 no
9 yes
160 no
340 no
21421 no
509 no
685 no
13799 no
149 no
|
username2 | xxx.xxx.xxx.xxx |
I would like to split my event on the "xxx yes" like so :
| MergedColumns | source | clientip |
|
10 yes
510 no
348 no
50886 no
|
username1
|
xxx.xxx.xxx.xxx
|
|
10 yes
513 no
1239 no
|
username2
|
xxx.xxx.xxx.xxx
|
|
9 yes
160 no
340 no
21421 no
509 no
685 no
13799 no
149 no
|
username2
|
xxx.xxx.xxx.xxx
|
Moreover, here, i have only two "xxx yes" in the same multivalue event, but i can possibly have more than that (like 3 or 4).
I tried lots of things but none seems to work...
(here is the regex to extract "xxx yes" => "^\S{1,} yes$")
In fact, adding this :
| mvexpand MergedColumns
| regex MergedColumns="^\S{1,} success"
| table MergedColumns source clientip
This above seems to split my values correctly, however, it removes all the remaining "xxx no" values.
Does anyone have a solution ?
Kind regards,
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-26-2022
06:09 AM
Give this a try
sourcetype="xxxx"
| transaction clientip source id maxspan=5m startswith="yesorno=yes"
endswith="event=connected" keepevicted=true mvlist=true,responsetime,status,yesorno,clientip,event,_time
| sort _time
| eval MergedColumns=responsetime . " " . yesorno
| stats list(event) as event, list(MergedColumns) as MergedColumns,
list(responsetime) as responsetime by yesorno, clientip, id
| where !(event=="connected")
| table MergedColumns source clientip
| mvexpand MergedColumns
| eval temp=if(match(MergedColumns,".+yes$"),1,0)
| accum temp
| stats list(MergedColumns) as MergedColumns by source clientip temp | fields - temp- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
07-26-2022
07:49 AM
Curious to know how tightly your hand is tied behind your back! Why are you obliged to use transaction and not stats?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ERFFFFF
Explorer
07-26-2022
08:03 AM
because i track which user is trying to connect (starting with the event "yesorno=yes" and terminate with the "event=connected") (if i'am in the wrong, please correct me, i'am still learning)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-26-2022
06:09 AM
Give this a try
sourcetype="xxxx"
| transaction clientip source id maxspan=5m startswith="yesorno=yes"
endswith="event=connected" keepevicted=true mvlist=true,responsetime,status,yesorno,clientip,event,_time
| sort _time
| eval MergedColumns=responsetime . " " . yesorno
| stats list(event) as event, list(MergedColumns) as MergedColumns,
list(responsetime) as responsetime by yesorno, clientip, id
| where !(event=="connected")
| table MergedColumns source clientip
| mvexpand MergedColumns
| eval temp=if(match(MergedColumns,".+yes$"),1,0)
| accum temp
| stats list(MergedColumns) as MergedColumns by source clientip temp | fields - temp- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ERFFFFF
Explorer
07-26-2022
08:11 AM
Thank you very much, it works like a charm ! 😄
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
