Splunk Search

Need _time on each event for a |makeresults

sbowser_splunk
Splunk Employee
Splunk Employee

Hello,

I need to spoof some data and am using |makeresults for 3 hosts and their port status of "UP" (and eventually "DOWN")

| makeresults
| eval _raw = "host1%UP%UP%UP%#host2%UP%UP%UP%#host3%UP%UP%UP%"
| rex max_match=0 "(?P<_raw>[^#]+)"
| mvexpand _raw
| table _time _raw
| rex "(?P[^\%]+)%(?P[^\%]+)%(?P[^\%]+)%(?P[^\%]+)"
| table _time host Port1 Port2 Port3

This gives me 3 lines for the result but _time shows only on the first result for "host1"

Question: How do I get the above search show _time for the all 3 results?

Thank you.

0 Karma
1 Solution

somesoni2
Revered Legend

The mvexpand command doesn't work on _* fields (internal/special splunk fields). Try like this

| makeresults
| eval raw = "host1%UP%UP%UP%#host2%UP%UP%UP%#host3%UP%UP%UP%"
| makemv raw delim="#"
| mvexpand raw
| rex field=raw "(?P<host>[^\%]+)%(?P<Port1>[^\%]+)%(?P<Port2>[^\%]+)%(?P<Port3>[^\%]+)"
| table _time host Port1 Port2 Port3

View solution in original post

DalJeanis
Legend

okay, to give you three events, each with the _time, host, and one of the ports, you can do either of these

| eval myports=mvappend("Port1=".Port1."Port2=".Port2."Port3=".Port3) 
| table _time host myports 
| mvexpand myports 
| rex field=myports "(?<myport>[^=]+)=(?<myvalue>.*)$) 
| eval {myport} = myvalue 
| fields - myports myport myvalue 

This first one gives you a record that looks like | table _time host Port* where Port* is either Port1, Port2 or Port3.

OR

| streamstats count as recno  
| rename _time as time 
| untable recno portname portvalue 
| eventstats min(eval(if(portname="time",portvalue)) as _time min(eval(if(portname="host",portvalue)) as host by recno 
| where portname!="time" AND portname!="host"

This second one gives a record that looks like

| table _time host portname portvalue
0 Karma

sbowser_splunk
Splunk Employee
Splunk Employee

Thank you for all of these tips!

0 Karma

somesoni2
Revered Legend

The mvexpand command doesn't work on _* fields (internal/special splunk fields). Try like this

| makeresults
| eval raw = "host1%UP%UP%UP%#host2%UP%UP%UP%#host3%UP%UP%UP%"
| makemv raw delim="#"
| mvexpand raw
| rex field=raw "(?P<host>[^\%]+)%(?P<Port1>[^\%]+)%(?P<Port2>[^\%]+)%(?P<Port3>[^\%]+)"
| table _time host Port1 Port2 Port3

DalJeanis
Legend

answers were posted in the slack channel

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...