Splunk Search

How to split up multiple values within a field (mvexpand)

Path Finder

Hi,

The output of both systems is written to the same index and differ by the component contained in the event.

e.g:
user=x component=old target=foobar
OR
user=x component=new target=foobar
|stats dc(component) as condition, list(msglog) as msglog, list(component) as component

| where condition>1

I have a data that looks like this:

|target |condition |msglog |component
|footbar | 2 |Registration successful |old
| | |Registration successful |new
| | |invalid login |new

A field is grouped into multiple fields (example "msglog", "Date", "component" . However, I want to extract them all separately in one field and list them in a table by targetID. The result should look like this:

|target |condition |msglog |component
|footbar | 2 |Registration successful |old
|footbar | 2 |Registration successful |new
|footbar | 2 |invalid login |new

BUT, if i use mvexpand:
...| mvexpand msglog
| fillnull msglog value=0
| mvexpand component
| fillnull component value=0
| dedup msglog component

There is an additional field with msglog=invalid login with component=old, which is not correct.

|target |condition |msglog |component
|footbar | 2 |Registration successful |old
|footbar | 2 |Registration successful |new
|footbar | 2 |invalid login |new
|footbar | 2 |invalid login |old

Thanks for your Help and your Time

0 Karma
1 Solution

Esteemed Legend

Just do this:

index=<You should always specify index> AND sourcetype=<And sourcetype too>
| table target condition msglog component
| filldown target
| filldown condition

View solution in original post

0 Karma

Esteemed Legend

Just do this:

index=<You should always specify index> AND sourcetype=<And sourcetype too>
| table target condition msglog component
| filldown target
| filldown condition

View solution in original post

0 Karma

Motivator

mvexpand will expand that particular field and copy the others that's why when you expand "msglog" both "Registration successful" and "invalid login" will have then a mv field "component" with both "new" and "old" values for each "msglog" value

does each event has every field? target, condition, msglog, component
because from what I see there is no way (with your search) you could have those results

user=x component=old target=foobar
OR
user=x component=new target=foobar
|stats dc(component) as condition, list(msglog) as msglog, list(component) as component

target won't be an available field in the results here. Only condition, msglog, component.
Can you post some raw data?

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

Path Finder

Hello @diogofgm
Here are the raw data:

{"timestamp":"2019-07-12T20:48:08.371+02:00",
"user":"x",
"component":"new",
"target":"footbar",
"msglog":"invalid login"
}
..........
{"timestamp":"2019-07-12T20:48:08.25+02:00",
"user":"x",
"component":"old",
"target":"footbar",
"msglog":"Registration successful"
}
...........

{"timestamp":"2019-07-12T20:48:08.184+02:00",
"user":"x",
"component":"new",
"target":"footbar",
"msglog":"Registration successful"
}

As I said, 1 field has several values ​​in one row (
i.e. the value has "msglog"
"Registration successful"
"Registration successful"
"invalid login"). I would like to have these values ​​in a table in a separate line extracted so that the results are correct. Otherwise, I can not limit my results, for example, only to "Registration successful"

0 Karma

Motivator

is this 1 event or 3?
if its 1 event you should be breaking your event
if its 3 events use |eventstats dc(component) AS condition | table target condition msglog component

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma