Splunk Search

Multiline event report

sarumjanuch
Path Finder

Hi there i have log something like this:

id=4555 event=Enter data1=12
id=4555 event=Connect data1=23
id=4555 event=Exit data1=28
id=4556 event=Enter data1=12
id=4556 event=Connect data1=23
id=4556 event=Exit data1=28

then i use | transaction id

and i receive my events gouped by id, but now, i need to create a table like this:

id | data1 from line where event=Enter | data1 from line whre event=Connect

can someone advise me, what tool i should read about?

Tags (3)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

You can access the elements of the multi-valued field with the mvindex() function of eval;

your_base_search 
| transaction id 
| eval Enter_Data_1 = mvindex(data1, 0) 
| eval Connect_Data_1 = mvindex(data1,1) 
| table id, Enter_Data_1, Connect_Data_1

output

id     Enter_Data_1      Connect_Data_1
4555   12                23
4556   12                23

Hope this helps,

K

View solution in original post

lukejadamec
Super Champion

Have you tried limiting the search to events that match that criteria?
Add this prior to the transaction:

|search event="Enter" OR event="Connect" |
0 Karma

kristian_kolb
Ultra Champion

You can access the elements of the multi-valued field with the mvindex() function of eval;

your_base_search 
| transaction id 
| eval Enter_Data_1 = mvindex(data1, 0) 
| eval Connect_Data_1 = mvindex(data1,1) 
| table id, Enter_Data_1, Connect_Data_1

output

id     Enter_Data_1      Connect_Data_1
4555   12                23
4556   12                23

Hope this helps,

K

rakesh_498115
Motivator

Pls give me the table format..so that i can help with the query ?

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...