- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having a problem extracting multivalued fields. I think it's because this particular field is quoted.
ids=\"XXX-404994280,XXX-404993710,XXX-335205060,XXX-404991340,XXX-335203510\"
The following search: index=app_logs env=prod | makemv delim="," ids | mvexpand ids
Does not yield the expected results of 5 new events.
It seems like this is a bug in the way Splunk evaluates multi valued fields that is agitated by the slash and the quote so I was trying to get around this problem by removing the
\"
It seems like Splunk must run the rex commands after the mv commands. Is there any way to force it to run rex first? Is there any documentation on the order of operations of the splunk commands?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Actually the best solution is to write your own field extraction that is aware of the backslashes instead of trying to nudge a failing key-value extraction back to life.
Something like this:
\bids=\\?"?(?<my_ids>[^\\"]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Actually the best solution is to write your own field extraction that is aware of the backslashes instead of trying to nudge a failing key-value extraction back to life.
Something like this:
\bids=\\?"?(?<my_ids>[^\\"]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Cool. I've converted this to an answer so you can mark that as the solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nailed it. Excellent work around. I created a new field: aaIds. Prefixing my created fields with aa is a trick I use to get them to show up at the top of the fields list. With the new extracted field I was able to expand as I expected.
Thanks, Martin!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/bd0e2/bd0e2d8d8f9260ad42a9f023b013642de187797a" alt="jrodman jrodman"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
The problem is that you are using rex to modify the text of the event, _raw, but then your makemv is targetting the field ids. If you want rex to have an effect upon the makemv, you will need to use it to modify the ids field instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Indeed, for example like this:
... | rex field=ids mode=sed "s/\\\\"//g" | makemv ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's the problem. The field ids, when I look at it in the field viewer is this:
\
So the problem is that Splunk terminates the field at the \
instead of continuing on until the space. I think my thought process here is, if I can remove the troubled \ "
characters and get Splunk to reevaluate the field, I would be ok.
Ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Maybe I misunderstand your question, but you mention rex
commands not running at the point in the search pipeline you want them to... I see no rex
command in your search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so here's the search:
index=app_logs env=poi-prod rapIds | rex field=_raw mode=sed "s/\\\\\"//g" | makemv delim="," ids | mvexpand ids
and the pertinent piece of the event that I hope to separate into 5 events.
ids=\"XXX-404994280,XXX-404993710,XXX-335205060,XXX-404991340,XXX-335203510\"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/6b305/6b30587f4930d3fb5a3b702327abd87164ea90b6" alt="somesoni2 somesoni2"
Does the raw data contains ids field enclosed within \"
or just "
?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The raw data contains the \"
. I'll edit the question to reflect that. I see what you did there.
data:image/s3,"s3://crabby-images/d7f73/d7f73632dd731f9b3dd280d9d048df61ba67932c" alt=""