Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiline event report

sarumjanuch
Path Finder
‎11-04-2013 07:02 AM

Hi there i have log something like this:

id=4555 event=Enter data1=12
id=4555 event=Connect data1=23
id=4555 event=Exit data1=28
id=4556 event=Enter data1=12
id=4556 event=Connect data1=23
id=4556 event=Exit data1=28

then i use | transaction id

and i receive my events gouped by id, but now, i need to create a table like this:

id | data1 from line where event=Enter | data1 from line whre event=Connect

can someone advise me, what tool i should read about?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎11-04-2013 07:31 AM

You can access the elements of the multi-valued field with the mvindex() function of eval;

your_base_search 
| transaction id 
| eval Enter_Data_1 = mvindex(data1, 0) 
| eval Connect_Data_1 = mvindex(data1,1) 
| table id, Enter_Data_1, Connect_Data_1

output

id     Enter_Data_1      Connect_Data_1
4555   12                23
4556   12                23

Hope this helps,

K

View solution in original post

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎11-04-2013 07:36 AM

Have you tried limiting the search to events that match that criteria?
Add this prior to the transaction:

|search event="Enter" OR event="Connect" |
0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎11-04-2013 07:31 AM

You can access the elements of the multi-valued field with the mvindex() function of eval;

your_base_search 
| transaction id 
| eval Enter_Data_1 = mvindex(data1, 0) 
| eval Connect_Data_1 = mvindex(data1,1) 
| table id, Enter_Data_1, Connect_Data_1

output

id     Enter_Data_1      Connect_Data_1
4555   12                23
4556   12                23

Hope this helps,

K

Reply
Solved! Jump to solution

rakesh_498115
Motivator
‎11-04-2013 07:28 AM

Pls give me the table format..so that i can help with the query ?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...