Solved: Return on certain field values in my search

Clancy_Moped · ‎01-11-2024

Hi Community,

I'm fairly inexperienced when it comes to anything other than quite basic searches, so my apologies in advance.

I have a field which returns several values, and I only wish to return one in my searches.

The field name is "triggeredComponents{}.triggeredFilters{}.trigger.value" and it returns several values of different types, for example:

1
5
out
text / text text text
hostname1
hostname2
445

I only wish to retrieve and view the "text / text text text" value, and then pop that into a |stats command. Please can someone offer some advise?

Many thanks in advance!

dtburrows3 · ‎01-11-2024

I think an eval expression like this would do it.

| eval
        targeted_component=case(
            mvcount('triggeredComponents{}.triggeredFilters{}.trigger.value')==1, if(match('triggeredComponents{}.triggeredFilters{}.trigger.value', "\w+\s*\/\s*\w+(?:\s+\w+)*"), 'triggeredComponents{}.triggeredFilters{}.trigger.value', null()),
            mvcount('triggeredComponents{}.triggeredFilters{}.trigger.value')>1, mvmap('triggeredComponents{}.triggeredFilters{}.trigger.value', if(match('triggeredComponents{}.triggeredFilters{}.trigger.value', "\w+\s*\/\s*\w+(?:\s+\w+)*"), 'triggeredComponents{}.triggeredFilters{}.trigger.value', null()))
            )

and the output should look something like this.

Using the mvmap function, we loop through each entry of the multivalue field and check if the entry matches a specified regex pattern. If there is a match then we take the value of that entry and insert it into a new field. This new field can potentially also be multivalued, depending on if there are multiple entries from the original field that match the criteria.

and for the stats command part I guess you can just use the newly derived field as a stats by-field to get counts (or whatever kind of stats aggregation is needed)

    | stats
        count as count
            by targeted_component

View solution in original post

Clancy_Moped · ‎01-11-2024

Many thanks indeed dtburrows3, this is EXACTLY what I was looking for!

dtburrows3 · ‎01-11-2024

I think an eval expression like this would do it.

| eval
        targeted_component=case(
            mvcount('triggeredComponents{}.triggeredFilters{}.trigger.value')==1, if(match('triggeredComponents{}.triggeredFilters{}.trigger.value', "\w+\s*\/\s*\w+(?:\s+\w+)*"), 'triggeredComponents{}.triggeredFilters{}.trigger.value', null()),
            mvcount('triggeredComponents{}.triggeredFilters{}.trigger.value')>1, mvmap('triggeredComponents{}.triggeredFilters{}.trigger.value', if(match('triggeredComponents{}.triggeredFilters{}.trigger.value', "\w+\s*\/\s*\w+(?:\s+\w+)*"), 'triggeredComponents{}.triggeredFilters{}.trigger.value', null()))
            )

and the output should look something like this.

Using the mvmap function, we loop through each entry of the multivalue field and check if the entry matches a specified regex pattern. If there is a match then we take the value of that entry and insert it into a new field. This new field can potentially also be multivalued, depending on if there are multiple entries from the original field that match the criteria.

and for the stats command part I guess you can just use the newly derived field as a stats by-field to get counts (or whatever kind of stats aggregation is needed)

    | stats
        count as count
            by targeted_component

Return on certain field values in my search

field extraction

fields

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?