Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Raw data only parsing the first instance

praddasg
Path Finder
‎03-26-2020 08:10 PM

Hello All,

I have a data like this

X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]

Now when I am using the query <search criteria> | table status, reason it is giving values "X" and "Y"
1. Trying to understand why it is not considering the values Z & Y and xyz & abc
2. If I have to get the result of values Z & Y and xyz & abc how to retrieve?

0 Karma
Reply

to4kawa
Ultra Champion
‎03-28-2020 04:09 PM

sample query:

| makeresults
| eval _raw="service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]"
| rex max_match=0 "status=(?<status>\w+), reason=(?<reason>\w+)"
| table status reason
| eval _counter = mvrange(0,mvcount(status))
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| fields - _*

recommend:

<search criteria> 
| rex max_match=0 "status=(?<status>\w+), reason=(?<reason>\w+)"
| fields status reason
| eval _counter = mvrange(0,mvcount(status))
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| fields - _*
| table status, reason
0 Karma
Reply

praddasg
Path Finder
‎03-28-2020 04:16 PM

Hello @to4kawa
It is still giving me values "X" and "Y"

0 Karma
Reply

to4kawa
Ultra Champion
‎03-28-2020 04:56 PM

use where OR search

0 Karma
Reply

praddasg
Path Finder
‎03-28-2020 05:50 PM

I am only using where but still the same

0 Karma
Reply

to4kawa
Ultra Champion
‎03-28-2020 07:43 PM

I see, your query is wrong

0 Karma
Reply

praddasg
Path Finder
‎03-30-2020 06:34 PM

Hi @to4kawa
can you please explain a bit more when you say the query is wrong? What I meant above is in the complete query I am not using search instead using where

service
| where not reason like "%P%"
|table status, reason

0 Karma
Reply

to4kawa
Ultra Champion
‎03-31-2020 02:27 PM 
| where not reason like "%P%"

This can't work.
where "%P%" come from?
Don't you select NOT (status="X" AND reason="Y")?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-27-2020 06:00 AM

What is <search criteria>?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

praddasg
Path Finder
‎03-28-2020 07:22 AM

Hi @richgalloway the raw data is like service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]

and my <search criteria> is service

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...