Splunk Search
Highlighted

Returning specific field values from multivalue extractions

Builder

Hello Splunkers/Splunkettes!

I appear to be having a Splunkers block.

I am performing a multivalue field extraction similar to my previous question. Essentially, given the following sample output:

29/02/2012 16:00 - Printer Usage Report
Printer 1: Canon (123)
Printer 2: Canon (456)
Printer 3: Xerox (789)
Printer 4: Epson (012)
Printer 5: HP (345)
**** END REPORT ****

I am extracting printer_id, printer_vendor, and toner_level using the following config in transforms.conf:

[printer_toner_extract]
REGEX   = (?i)Printer\s(\d+):\s(\w+)\s+\(\(\d+)
FORMAT  = printer_id::$1 printer_vendor::$2 toner_level::$3
MV_ADD  = true

This appears to work fine as the field picker now shows all the fields and their values.

However when I attempt to chart the toner_level for a specific printer (eg. Printer 2)

printer_id="2" | chart list(toner_level)

This returns the toner_level values for every printer where printer 2 was in the event. ie:

list(starting_stack)
----------------------------
123
456
789
012
345
...

What I am hoping to see would be a list of just the values for Printer 2 ie:

list(starting_stack)
----------------------------
456
...

Many thanks in advance 🙂

Note: I am using list(X) here as it is meant to return specific values in chronological order.

How do I constrain the toner_level value to be specific to the printer_id I'm interested in?

0 Karma
Highlighted

Re: Returning specific field values from multivalue extractions

Ultra Champion

I think the problem is because by doing the MV extraction you are losing associativity amongst the fields ie: Printer X does not know what toner and vendor values from the other MV fields belong to itself.

So here is an alternate approach that should work for you that uses a search time field extraction and breaks the Printer metrics into individual events, which should make it easier for you to use the stats,chart and timechart commands.

props.conf

[printer_usage]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^Printer\s\d+:.*$
EXTRACT-printer_toner_extract = (?i)Printer\s(?<printer_id>\d+):\s(?<printer_vendor>\w+)\s+\((?<toner_level>\d+)

Example Searches

With this search you can chart the toner levels over time by Printer ID:

sourcetype=printer_usage | timechart max(toner_level) by printer_id

And the search from your original question :

sourcetype=printer_usage printer_id=2 | stats list(toner_level)
0 Karma