Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multi-value field grouping

boffhead
New Member
‎05-23-2021 09:29 PM

Hi,

I'm sending AWS SSM patching logs to splunk.  I'm transforming these via a Lambda and getting the following events: (snipped for brevity)

 

 

{
   <SNIP>
   missing_count: 0
   not_applicable_count: 1762
   operation_end_time: 2021-05-18T16:08:27.1678125Z
   operation_start_time: 2021-05-18T16:00:29.0000000Z
   operation_type: Install
   other_non_compliant_count: 0
   owner_information:
   patch_group: test-grp6-wed
   patches: [
     [
       KB5001879
       Yes
       Success
     ]
     [
       KB890830
       Yes
       Success
     ]
   ]
}

 

 

 
What I'm after is table selected fields like server name, start/finish times etc. and to get the patches column in the format (space or comma seperated on 2 lines with the same row as the rest of the row for that server)
KB5001879, Yes, Success
KB890830, Yes, Success

I can extract the field using the following:
index="aws" sourcetype="aws:ssmpatchinglogs"
| spath patches{}{} output=patches

I've tried some things with mvexpand, streamstats and mvindex (which didn't recognise the command - we're on splunk Version:8.0.1 Build:6db836e2fb9e).

Cheers

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...