Splunk Search

Raw data only parsing the first instance

praddasg
Path Finder

Hello All,

I have a data like this

X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]

Now when I am using the query <search criteria> | table status, reason it is giving values "X" and "Y"
1. Trying to understand why it is not considering the values Z & Y and xyz & abc
2. If I have to get the result of values Z & Y and xyz & abc how to retrieve?

0 Karma

to4kawa
Ultra Champion

sample query:

| makeresults
| eval _raw="service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]"
| rex max_match=0 "status=(?<status>\w+), reason=(?<reason>\w+)"
| table status reason
| eval _counter = mvrange(0,mvcount(status))
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| fields - _*

recommend:

<search criteria> 
| rex max_match=0 "status=(?<status>\w+), reason=(?<reason>\w+)"
| fields status reason
| eval _counter = mvrange(0,mvcount(status))
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| fields - _*
| table status, reason
0 Karma

praddasg
Path Finder

Hello @to4kawa
It is still giving me values "X" and "Y"

0 Karma

to4kawa
Ultra Champion

use where OR search

0 Karma

praddasg
Path Finder

I am only using where but still the same

0 Karma

to4kawa
Ultra Champion

I see, your query is wrong

0 Karma

praddasg
Path Finder

Hi @to4kawa
can you please explain a bit more when you say the query is wrong? What I meant above is in the complete query I am not using search instead using where

service
| where not reason like "%P%"
|table status, reason

0 Karma

to4kawa
Ultra Champion
| where not reason like "%P%" 

This can't work.
where "%P%" come from?
Don't you select NOT (status="X" AND reason="Y")?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is <search criteria>?

---
If this reply helps you, Karma would be appreciated.
0 Karma

praddasg
Path Finder

Hi @richgalloway the raw data is like service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]

and my <search criteria> is service

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...