- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
Hello,
I need to spoof some data and am using |makeresults for 3 hosts and their port status of "UP" (and eventually "DOWN")
| makeresults
| eval _raw = "host1%UP%UP%UP%#host2%UP%UP%UP%#host3%UP%UP%UP%"
| rex max_match=0 "(?P<_raw>[^#]+)"
| mvexpand _raw
| table _time _raw
| rex "(?P[^\%]+)%(?P[^\%]+)%(?P[^\%]+)%(?P[^\%]+)"
| table _time host Port1 Port2 Port3
This gives me 3 lines for the result but _time shows only on the first result for "host1"
Question: How do I get the above search show _time for the all 3 results?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![somesoni2 somesoni2](https://community.splunk.com/legacyfs/online/avatars/100305.jpg)
The mvexpand command doesn't work on _*
fields (internal/special splunk fields). Try like this
| makeresults
| eval raw = "host1%UP%UP%UP%#host2%UP%UP%UP%#host3%UP%UP%UP%"
| makemv raw delim="#"
| mvexpand raw
| rex field=raw "(?P<host>[^\%]+)%(?P<Port1>[^\%]+)%(?P<Port2>[^\%]+)%(?P<Port3>[^\%]+)"
| table _time host Port1 Port2 Port3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![DalJeanis DalJeanis](https://community.splunk.com/legacyfs/online/avatars/455764.jpg)
okay, to give you three events, each with the _time, host, and one of the ports, you can do either of these
| eval myports=mvappend("Port1=".Port1."Port2=".Port2."Port3=".Port3)
| table _time host myports
| mvexpand myports
| rex field=myports "(?<myport>[^=]+)=(?<myvalue>.*)$)
| eval {myport} = myvalue
| fields - myports myport myvalue
This first one gives you a record that looks like | table _time host Port*
where Port* is either Port1, Port2 or Port3.
OR
| streamstats count as recno
| rename _time as time
| untable recno portname portvalue
| eventstats min(eval(if(portname="time",portvalue)) as _time min(eval(if(portname="host",portvalue)) as host by recno
| where portname!="time" AND portname!="host"
This second one gives a record that looks like
| table _time host portname portvalue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
Thank you for all of these tips!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![somesoni2 somesoni2](https://community.splunk.com/legacyfs/online/avatars/100305.jpg)
The mvexpand command doesn't work on _*
fields (internal/special splunk fields). Try like this
| makeresults
| eval raw = "host1%UP%UP%UP%#host2%UP%UP%UP%#host3%UP%UP%UP%"
| makemv raw delim="#"
| mvexpand raw
| rex field=raw "(?P<host>[^\%]+)%(?P<Port1>[^\%]+)%(?P<Port2>[^\%]+)%(?P<Port3>[^\%]+)"
| table _time host Port1 Port2 Port3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![DalJeanis DalJeanis](https://community.splunk.com/legacyfs/online/avatars/455764.jpg)
answers were posted in the slack channel
![](/skins/images/FE4825B2128CA5F641629E007E333890/responsive_peak/images/icon_anonymous_message.png)