Splunk Search

How to use MV expand to extract a data grouped by itself?

Spunk_user89
New Member

Hi splunk community

 

I am currently trying to break up a log. It is in this format after converting to a json 

Spunk_user89_0-1682631551478.png

Each plus under response has a block of information with several variables. I need splunk to pull out the values of the variables i tell it to but grouped together. I tried breaking this up using MV expand but when I do it groups up the names in one log and the results which make it difficult to graph. an example of how it looks is below. the below format doesnt work since every name variable will have the same output when graphed because every single group is one "log" which makes insights difficult.

Spunk_user89_1-1682631946201.png

I need it to do something like this 

Spunk_user89_2-1682632007352.png

the search that i have been using is below 

 

 

index=myindex attrs.deploymentKey="production" "MY COPY" "MY ROUTER*" 
|  spath input=line 
|  tojson auto(line) 

|  spath path=line.additionalInfo{} 

|  eval resp=mvindex('line.additionalInfo{}', 0,2) 

|  mvexpand data 
|  spath input=data output=my_name path=response{}.NAME 
|  spath input=data output=my_results path=response{}.Results
|  where my_results = "Y"
|  table my_name, my_results

 

 

. any help would be much appreciated 

 

Labels (3)
0 Karma

splunkjas1
Path Finder

in my opinion, you're doing wayyy too much work. let splunk do the work. i love how i see people forcing all these things when splunk has amazing abilities if you'll just let it. i can help you.

0 Karma

splunkjas1
Path Finder

I can help you finish this. you should reach out to me.

0 Karma

Spunk_user89
New Member

@splunkjas1 how would you go about solving this then?

0 Karma

yeahnah
Motivator

Hi @Spunk_user89 

It very hard to help without the the raw event data.  Can you please provide an example of the raw event using the Insert/Edit code sample button so any event formatting in protected.

yeahnah_0-1682641417392.png

Obfuscate or remove any sensitive data. 

Doing this will greatly help anyone that is looking to provide a solution for you.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...