Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Raw data only parsing the first instance
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Raw data only parsing the first instance
Hello All,
I have a data like this
X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]
Now when I am using the query <search criteria> | table status, reason it is giving values "X" and "Y"
1. Trying to understand why it is not considering the values Z & Y and xyz & abc
2. If I have to get the result of values Z & Y and xyz & abc how to retrieve?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample query:
| makeresults
| eval _raw="service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]"
| rex max_match=0 "status=(?<status>\w+), reason=(?<reason>\w+)"
| table status reason
| eval _counter = mvrange(0,mvcount(status))
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| fields - _*
recommend:
<search criteria>
| rex max_match=0 "status=(?<status>\w+), reason=(?<reason>\w+)"
| fields status reason
| eval _counter = mvrange(0,mvcount(status))
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| fields - _*
| table status, reason
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @to4kawa
It is still giving me values "X" and "Y"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use where OR search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am only using where but still the same
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see, your query is wrong
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @to4kawa
can you please explain a bit more when you say the query is wrong? What I meant above is in the complete query I am not using search instead using where
service
| where not reason like "%P%"
|table status, reason
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| where not reason like "%P%"
This can't work.
where "%P%" come from?
Don't you select NOT (status="X" AND reason="Y")?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is <search criteria>?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richgalloway the raw data is like service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]
and my <search criteria> is service
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
