Solved: Possible to show all values from same field name w...

FGAnders · ‎08-10-2022

Hi,

I'm trying to make my query show all the different values from one field (Product) that it is showing in the Event. I have data from Event that has Product=ABC, Product=????? and Product=??. The Products will have random / different values.

When I run the query it will only show me the Product=ABC not any of the others with different values but same field.

index=X Name=* currency=* channel=* country=* state=*  Product=* | stats list(Name) as Name, list(currency) as currency, list(amount) as amount, list(channel) as device, list(country) as From, list(state) as Status,  list(Product) as Products |

I would like to have it show all the Products from the one event. So in case there are 3 Products

Products
ABC
?????
??

---

In case I have another event with four fields with Products it has to show all 4.

Products
ABC
?????
??
4th Product

Is this possible ?

Thank you,

ITWhisperer · ‎08-10-2022

You could use rex to extract the multiple instances of the field(s), Product for example

| rex max_match=0 "Product=(?<Product>[^,]+)"

However, you probably want to look at your transforms.conf and props.conf for the source type to handle multi-value fields

View solution in original post

ITWhisperer · ‎08-10-2022

This part of your search produces a pipeline of events from your index

index=X Name=* currency=* channel=* country=* state=*  Product=*

This part aggregates all the events in the pipeline into a single event

| stats list(Name) as Name, list(currency) as currency, list(amount) as amount, list(channel) as device, list(country) as From, list(state) as Status,  list(Product) as Products

If you want to table each event separately (so you can see the multi-value Products for example), replace the stats with a table command

| table Name, currency, amount, channel, country, state, Product

If this is not what you are after, please can you provided some sample events (preferably in a code block </>) and an example of the desired output

FGAnders · ‎08-10-2022

Hi,

Thank you for fast reply

I tried to only run as shorter query like:

index=X Name=JohnA | table Name Product

I still only see the first Product of the event from the index.

Name Product
JohnA ABC

If I go to the event in the index I can see that Product=ABC, Product=?? and Product=GOLD is shown in the event data. But it seems to only show me one of them.

Some of the data from event.

Name='JohnA',selection=2,Product='ABC',description=<null>,country='MT',selection=1,Product='??',description=<null>,country='MT',selection=2,Product='GOLD',description=<null>,country='MT',

I would like it to show all the Products like this

Name Product
JohnA ABC,??,GOLD

Or like this

Name Product
JohnA ABC
      ??
      GOLD

Everything else its getting shown correctly except when there is same field with different values in one single event.

Thank you,

ITWhisperer · ‎08-10-2022

You could use rex to extract the multiple instances of the field(s), Product for example

| rex max_match=0 "Product=(?<Product>[^,]+)"

However, you probably want to look at your transforms.conf and props.conf for the source type to handle multi-value fields

FGAnders · ‎08-10-2022

Thank you very much, this works.

Possible to show all values from same field name with different values from one Event?

fields

stats

Transforming Financial Data into Fraud Intelligence

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

Are you a member of the Splunk Community?