Splunk Search

How to split stats values() into other rows?

bofasplunkguy
Explorer

I am trying to show a "primary" and "secondary" IP in rows to recreate a spreadsheet. I currently have a search like:

search query | stats values (IP) as IPs by user

This will return all of my users, with the corresponding IPs. Some users have only one, while others also have a secondary. I would like the primary and secondary to be separate columns, rather than having both combined in a single cell. I was trying to use rex to separate them, but my fields come back empty:

|rex field=IPs "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})[\r\n]"(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
|table user primary secondary

I think the issue is with the linebreak [r/n] as I can extract just the primary this way. Please advise how to split the stats values into separate rows, either using regex or if there is a better way.

Tags (1)
0 Karma

Vijeta
Influencer

You can try mvexpand-

search query | stats values (IP) as IPs by user | mvexpand IPs

bofasplunkguy
Explorer

mvexpand breaks the values back into separate rows, which is how they already are before the stats values() command.

I want these in separate columns, not separate rows. Does that make sense? I want to end up with a table with three columns like:

| table user primary secondary

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...