Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Possible to show all values from same field name with different values from one Event?

FGAnders
Explorer
‎08-10-2022 01:52 AM

Hi,

I'm trying to make my query show all the different values from one field (Product) that it is showing in the Event. I have data from Event that has Product=ABC, Product=????? and Product=??.  The Products will have random / different values.

When I run the query it will only show me the Product=ABC not any of the others with different values but same field.  

 

 

 

index=X Name=* currency=* channel=* country=* state=*  Product=* | stats list(Name) as Name, list(currency) as currency, list(amount) as amount, list(channel) as device, list(country) as From, list(state) as Status,  list(Product) as Products |

 

 

 

 

I would like to have it show all the Products from the one event.  So in case there are 3 Products 

Products
ABC
?????
??

---

In case I have another event with four fields with Products it has to show all 4. 

Products
ABC
?????
??
4th Product

Is this possible ?

 

Thank you,

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 02:50 AM

You could use rex to extract the multiple instances of the field(s), Product for example

| rex max_match=0 "Product=(?<Product>[^,]+)"

However, you probably want to look at your transforms.conf and props.conf for the source type to handle multi-value fields

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 02:02 AM

This part of your search produces a pipeline of events from your index

index=X Name=* currency=* channel=* country=* state=*  Product=*

This part aggregates all the events in the pipeline into a single event

| stats list(Name) as Name, list(currency) as currency, list(amount) as amount, list(channel) as device, list(country) as From, list(state) as Status,  list(Product) as Products

If you want to table each event separately (so you can see the multi-value Products for example), replace the stats with a table command

| table Name, currency, amount, channel, country, state, Product

If this is not what you are after, please can you provided some sample events (preferably in a code block </>) and an example of the desired output

0 Karma
Reply
Solved! Jump to solution

FGAnders
Explorer
‎08-10-2022 02:36 AM

Hi,

Thank you for fast reply

I tried to only run as shorter query like:

 

 

index=X Name=JohnA | table Name Product

 

 

I still only see the first Product of the event from the index.

 

 

Name Product
JohnA ABC

 

 

If I go to the event in the index I can see that Product=ABC, Product=?? and Product=GOLD is shown in the event data. But it seems to only show me one of them. 

Some of the data from event. 

 

 

Name='JohnA',selection=2,Product='ABC',description=<null>,country='MT',selection=1,Product='??',description=<null>,country='MT',selection=2,Product='GOLD',description=<null>,country='MT',

 

 

I would like it to show all the Products like this 

 

 

Name Product
JohnA ABC,??,GOLD

 

 

 Or like this

 

 

Name Product
JohnA ABC
      ??
      GOLD

 

 

 

Everything else its getting shown correctly except when there is same field with different values in one single event.

Thank you,

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 02:50 AM

You could use rex to extract the multiple instances of the field(s), Product for example

| rex max_match=0 "Product=(?<Product>[^,]+)"

However, you probably want to look at your transforms.conf and props.conf for the source type to handle multi-value fields

Reply
Solved! Jump to solution

FGAnders
Explorer
‎08-10-2022 02:55 AM

Thank you very much, this works.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...