Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multivalue fields to Columns and values of a single event

Matioski7
Explorer
‎05-04-2021 06:26 AM

Hello,

I'm trying to show this event as a table:

 

 

2021-05-04 11:28:56.722, TIME="2021-05-04 11:28:56.722", ID="0a7a270b79341ba28179372363920a5d", CREATED="1620127736722", SOURCE="Group Aggregation", ACTION="entitlement_attribute_change", TARGET="CN=g-cvi_admin_test,OU=CVI,OU=Security,OU=Control Groups,DC=base,DC=dev", APPLICATION="AD Base Direct", ACCOUNT_NAME="memberOf", INSTANCE="003608aa42a7425793ea73cc7f9f8e65", ATTRIBUTE_NAME="msDS-PrincipalName", ATTRIBUTE_VALUE="BASEDEV\g-cvi_admin_test", ATTRIBUTES="<Attributes>
        <Map>
          <entry key="attributeName" value="msDS-PrincipalName"/>
          <entry key="newValue" value="BASEDEV\g-cvi_admin_test"/>
          <entry key="oldValue" value="BASEINT\g-cvi_admin_test"/>
        </Map>
</Attributes>
", STRING1="Change of group of value CN=g-cvi_admin_test,OU=CVI,OU=Security,OU=Control Groups,DC=base,DC=dev on AD Base Direct", STRING2="BASEINT\g-cvi_admin_test", STRING3="group"

 

 

I have all the fields extracted correctly  even the ATTRIBUTES:

 

 

<Attributes>
        <Map>
          <entry key="attributeName" value="msDS-PrincipalName"/>
          <entry key="newValue" value="BASEDEV\g-cvi_admin_test"/>
          <entry key="oldValue" value="BASEINT\g-cvi_admin_test"/>
        </Map>
</Attributes>

 

 

From this ATTRIBUTE field, thanks to:

 

 

|rex max_match=0 field=ATTRIBUTES "<entry key=\"(?<key_xml>[a-zA-Z0-9_]+?)\" value=\"(?<value_xml>[\s\S]+?)(?:\"\/>)"

 

 

From that I'm getting key_xml and value_xml as multivalues.

I would like to have key_xml as column names and value_xml as row cells of the corresponding keys.

Thanks to whomever can help me

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-04-2021 06:38 AM

@Matioski7 

 

You can try Dynamic eval for this with some magical multivalued commands . Please check my sample search for single event./ You can modify this as per your requirement.

 

| makeresults 
| eval ATTRIBUTES="<Attributes>
        <Map>
          <entry key=\"attributeName\" value=\"msDS-PrincipalName\"/>
          <entry key=\"newValue\" value=\"BASEDEV\g-cvi_admin_test\"/>
          <entry key=\"oldValue\" value=\"BASEINT\g-cvi_admin_test\"/>
        </Map>
</Attributes>" 
| rex max_match=0 field=ATTRIBUTES "<entry key=\"(?<key_xml>[a-zA-Z0-9_]+?)\" value=\"(?<value_xml>[\s\S]+?)(?:\"\/>)" 
| fields key_xml,value_xml 
| eval tmp = mvzip(key_xml,value_xml) 
| mvexpand tmp 
| eval key_xml=mvindex(split(tmp,","),0),value_xml=mvindex(split(tmp,","),1), {key_xml}=value_xml 
| fields - tmp,key_xml,value_xml
| stats values(*) as *

 

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-04-2021 06:38 AM

@Matioski7 

 

You can try Dynamic eval for this with some magical multivalued commands . Please check my sample search for single event./ You can modify this as per your requirement.

 

| makeresults 
| eval ATTRIBUTES="<Attributes>
        <Map>
          <entry key=\"attributeName\" value=\"msDS-PrincipalName\"/>
          <entry key=\"newValue\" value=\"BASEDEV\g-cvi_admin_test\"/>
          <entry key=\"oldValue\" value=\"BASEINT\g-cvi_admin_test\"/>
        </Map>
</Attributes>" 
| rex max_match=0 field=ATTRIBUTES "<entry key=\"(?<key_xml>[a-zA-Z0-9_]+?)\" value=\"(?<value_xml>[\s\S]+?)(?:\"\/>)" 
| fields key_xml,value_xml 
| eval tmp = mvzip(key_xml,value_xml) 
| mvexpand tmp 
| eval key_xml=mvindex(split(tmp,","),0),value_xml=mvindex(split(tmp,","),1), {key_xml}=value_xml 
| fields - tmp,key_xml,value_xml
| stats values(*) as *

 

Reply
Solved! Jump to solution

Matioski7
Explorer
‎05-04-2021 06:54 AM

Thanks, it was very helpful.

But I still have an issue, the "fields -" is taking also all the other field extracted that I don't want to include, I would like to include only the one specified in key_xml field that of course is Dynamic and can change.

How can I prevent all the other fields to be shown

 

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-04-2021 06:58 AM

You can allowed just required field.

like in this case we are using just ATTRIBUTES field. then after your base search just put 

| fields ATTRIBUTES

 

it will restrict all other fields.  

Reply
Solved! Jump to solution

Matioski7
Explorer
‎05-04-2021 07:07 AM

Working like a charm, Thanks a lot. You made my day.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...