Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Multiple value for the same field in one event...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prettysunshinez
Explorer
03-11-2020
01:54 AM
I have an event having 3 errors..
I have a regular expression written to capture the error as "ERROR".
And now i have a lookup file and I input the ERROR value and output Comments for the respective error.
I do not have issues when there is just one value for ERROR field in one event(i.e., if there is only one error in a event)
But when there are more than one error,then i get the result as below.
Kindly help..
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-16-2020
03:25 AM
Expand ERROR values before lookup command.
index= |(regular expression to catch the error from the logs as ERROR) | mvexpand ERROR | lookup abc.csv ERROR output Comments |stats count by Comments
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-16-2020
03:25 AM
Expand ERROR values before lookup command.
index= |(regular expression to catch the error from the logs as ERROR) | mvexpand ERROR | lookup abc.csv ERROR output Comments |stats count by Comments
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-14-2020
01:36 PM
What you are describing is not possible unless you have a Lookup Definition with some extra settings in it. It is pointless to continue without you spelling out everything including at least 2 lines of your Lookup File and your search SPL and your Lookup Definition.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
03-11-2020
01:53 PM
index=your_index
|(regular expression to catch the error from the logs as ERROR)
| stats count by ERROR
| lookup abc.csv ERROR output Comments
I see, this query excludes same ERROR
How about this?
In your last comment, |stats count by Comments
This result is following:
Comments count
abc 3
bcd 1
....
This result is not your first expect result.
Which do you want?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prettysunshinez
Explorer
03-11-2020
11:01 PM
Am sorry I missed it..
I get the error also as part of output from lookup file..and i do statistics count and values based on ERROR..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prettysunshinez
Explorer
03-11-2020
09:02 AM
index= |(regular expression to catch the error from the logs as ERROR) | lookup abc.csv ERROR output Comments |stats count by Comments
abc.csv:
ERROR Comments
Error1 abc
Error2 abc
Error3 bcd
Error4 bed
Error5 abc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-22-2020
11:43 AM
Why are you being so vauge? Show us ALL of your search! The rex part is probably THE MOST IMPORTANT PART and yet you stripped it!?!?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prettysunshinez
Explorer
03-11-2020
11:02 AM
Regular followed by max_match=0..
In order to capture all the occurences of ERROR
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-22-2020
11:44 AM
SHOW US THE FULL SEARCH SPL and a few sample events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-11-2020
08:08 AM
can you post your query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
03-11-2020
06:38 AM
"ERROR" field is multivalue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prettysunshinez
Explorer
03-11-2020
07:43 AM
Single value only
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
