Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there a makemv to mvexpand command issue in my ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rdownie
Communicator
06-02-2017
08:11 AM
When running this search (the return value is hard coded, it is coming from an external command). I just pasted the results in the eval. It shouldn't make a difference.
Search:
|makeresults | eval return="1496410321;A;B# 1496410321;C;D# 1496410321;D;F# 1496413441;G;H# 1496413921;I;J# 1496413935;K;L#" |makemv delim="#" return | mvexpand return | rex field=return "(?P[^;]+);(?P[^;]+);(?P[^;]+)" | eval dsrv_time=dsrv_timestamp | convert ctime(dsrv_time) |
table dsrv_timestamp,dsrv_time,dsrv_host,dsrv_file_name
The convert ctime(dsrv_timestamp) only works on the first event? Why is it not acting on each event?
dsrv_timestamp dsrv_time dsrv_host dsrv_file_name
1496410321 06/02/2017 09:32:01 A B
1496410321 C D
1496410321 D F
1496413441 G H
1496413921 I J
1496413935 K L
Any help with this would be appreciated.
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
micahkemp
Champion
06-02-2017
08:21 AM
There's a space after your # delimiter, which is throwing off your timestamp calcs. Try this:
| makeresults
| eval return="1496410321;A;B# 1496410321;C;D# 1496410321;D;F# 1496413441;G;H# 1496413921;I;J# 1496413935;K;L#"
| makemv delim="#" return
| mvexpand return
| rex field=return "\s*(?P<dsrv_timestamp>[^;]+);(?P<dsrv_host>[^;]+);(?P<dsrv_file_name>[^;]+)"
| eval dsrv_time=dsrv_timestamp
| convert ctime(dsrv_time)
| table dsrv_timestamp,dsrv_time,dsrv_host,dsrv_file_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
micahkemp
Champion
06-02-2017
08:21 AM
There's a space after your # delimiter, which is throwing off your timestamp calcs. Try this:
| makeresults
| eval return="1496410321;A;B# 1496410321;C;D# 1496410321;D;F# 1496413441;G;H# 1496413921;I;J# 1496413935;K;L#"
| makemv delim="#" return
| mvexpand return
| rex field=return "\s*(?P<dsrv_timestamp>[^;]+);(?P<dsrv_host>[^;]+);(?P<dsrv_file_name>[^;]+)"
| eval dsrv_time=dsrv_timestamp
| convert ctime(dsrv_time)
| table dsrv_timestamp,dsrv_time,dsrv_host,dsrv_file_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rdownie
Communicator
06-02-2017
08:49 AM
Ugh!! I banged my head on this for a while. Thanks!!!!!!!
Get Updates on the Splunk Community!
Incident Response: Reduce Incident Recurrence with Automated Ticket Creation
Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)
Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...
Index This | I am a number but I am countless. What am I?
January 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
Happy New Year! We’re ...
