Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Multiple value for the same field in one event...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prettysunshinez
Explorer
03-11-2020
01:54 AM
I have an event having 3 errors..
I have a regular expression written to capture the error as "ERROR".
And now i have a lookup file and I input the ERROR value and output Comments for the respective error.
I do not have issues when there is just one value for ERROR field in one event(i.e., if there is only one error in a event)
But when there are more than one error,then i get the result as below.
Kindly help..
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-16-2020
03:25 AM
Expand ERROR values before lookup command.
index= |(regular expression to catch the error from the logs as ERROR) | mvexpand ERROR | lookup abc.csv ERROR output Comments |stats count by Comments
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-16-2020
03:25 AM
Expand ERROR values before lookup command.
index= |(regular expression to catch the error from the logs as ERROR) | mvexpand ERROR | lookup abc.csv ERROR output Comments |stats count by Comments
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-14-2020
01:36 PM
What you are describing is not possible unless you have a Lookup Definition with some extra settings in it. It is pointless to continue without you spelling out everything including at least 2 lines of your Lookup File and your search SPL and your Lookup Definition.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
03-11-2020
01:53 PM
index=your_index
|(regular expression to catch the error from the logs as ERROR)
| stats count by ERROR
| lookup abc.csv ERROR output Comments
I see, this query excludes same ERROR
How about this?
In your last comment, |stats count by Comments
This result is following:
Comments count
abc 3
bcd 1
....
This result is not your first expect result.
Which do you want?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prettysunshinez
Explorer
03-11-2020
11:01 PM
Am sorry I missed it..
I get the error also as part of output from lookup file..and i do statistics count and values based on ERROR..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prettysunshinez
Explorer
03-11-2020
09:02 AM
index= |(regular expression to catch the error from the logs as ERROR) | lookup abc.csv ERROR output Comments |stats count by Comments
abc.csv:
ERROR Comments
Error1 abc
Error2 abc
Error3 bcd
Error4 bed
Error5 abc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-22-2020
11:43 AM
Why are you being so vauge? Show us ALL of your search! The rex part is probably THE MOST IMPORTANT PART and yet you stripped it!?!?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prettysunshinez
Explorer
03-11-2020
11:02 AM
Regular followed by max_match=0..
In order to capture all the occurences of ERROR
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-22-2020
11:44 AM
SHOW US THE FULL SEARCH SPL and a few sample events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-11-2020
08:08 AM
can you post your query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
03-11-2020
06:38 AM
"ERROR" field is multivalue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prettysunshinez
Explorer
03-11-2020
07:43 AM
Single value only
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
