Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splitting Multi-Value and Multi-Line field?

daveywfii
Explorer
‎01-25-2023 01:52 PM

I have a list of chrome extensions that are installed that is returned in a multivalue field. One of the results looks like this: 
Screenshot 2023-01-25 at 2.45.46 PM.png

All I really care about is the extension name so I was able to run this query to use rex to extract the names of all the extensions: 

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| table extensions

This returns: 
Screenshot 2023-01-25 at 2.48.50 PM.png

How can I further extract these extensions in this multi-value field.  I can't get mvexpand to work because it says that the new extensions field I created doesn't exist in the data. I can't figure out how to extract each line as a separate result so that I can dedup and get a full list of all installed extensions. 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2023 02:48 PM

mvexpand should work

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| table extensions
| mvexpand extensions

Do you get an error?

Alternatively, you could try this

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| stats count by extensions
| fields - count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2023 02:48 PM

mvexpand should work

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| table extensions
| mvexpand extensions

Do you get an error?

Alternatively, you could try this

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| stats count by extensions
| fields - count
0 Karma
Reply
Solved! Jump to solution

daveywfii
Explorer
‎01-25-2023 04:11 PM

The mvexpand doesn't work. No errors, but it doesn't return anything.  Your second suggestion inexplicably did  work, but I don't understand why. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...