Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REX expression for multiple extractions in columns

raby1996
Path Finder
‎04-04-2017 02:50 PM

Hello all,

I was hoping I could get a bit of assistance in figuring out a rex expression I could use to extract part numbers that are in column, I have a sample data set below,

part_num      serial_num         type
abc            123                a
bcd            234                a
cde            456                b

Essentially I'm trying to extract all the "part_num" and "serial_num" for "types" of "a", I can extract the first part that matches however I've been unable to figure out how I can extract all fields I need of type a for my events, essentially it would look like this (FYI, I already have the host machine serial number extracted)

rex....
|stats list(part_num) as part_num list(serial_num) as serial_num by host_machine

host_machine.      part_num             serial_num
981-aabbc             abc                    123
                      bcd                    234

and this would display for all my machines. Thank you, and please let me know if there are any questions, I appreciate any help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-04-2017 03:16 PM

If your "dataset" above a single event that looks exactly like that, then you need multikv:

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Multikv

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-04-2017 03:16 PM

If your "dataset" above a single event that looks exactly like that, then you need multikv:

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Multikv

Reply
Solved! Jump to solution

raby1996
Path Finder
‎04-05-2017 12:40 PM

Yes, your'e right, this looks like it will do the job, thank you.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-04-2017 03:14 PM

Is your "dataset" above a single event that looks exactly like that?

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-04-2017 02:58 PM

Your sample data set looks like a CSV file. Is it?

If it is, then wouldn't you want to do a lookup by type to get the part_num and serial_num from the lookup table? That would not require a rex statement at all.

If not, what exactly is the sample data set? And is it in Splunk as an event, or what?

0 Karma
Reply
Solved! Jump to solution

raby1996
Path Finder
‎04-04-2017 03:06 PM

No unfortunately this is not csv, (or structured data), essentially this is a large text file, and this data is in tabular format somewhere towards the middle of the file, the easiest way to look at it was if we ran an "ls -t" on a unix server with the headers being at the top, and yes it is in splunk as an event.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...
li.common.scroll-to.top