Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splitting Multi-Value and Multi-Line field?

daveywfii
Explorer
‎01-25-2023 01:52 PM

I have a list of chrome extensions that are installed that is returned in a multivalue field. One of the results looks like this: 
Screenshot 2023-01-25 at 2.45.46 PM.png

All I really care about is the extension name so I was able to run this query to use rex to extract the names of all the extensions: 

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| table extensions

This returns: 
Screenshot 2023-01-25 at 2.48.50 PM.png

How can I further extract these extensions in this multi-value field.  I can't get mvexpand to work because it says that the new extensions field I created doesn't exist in the data. I can't figure out how to extract each line as a separate result so that I can dedup and get a full list of all installed extensions. 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2023 02:48 PM

mvexpand should work

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| table extensions
| mvexpand extensions

Do you get an error?

Alternatively, you could try this

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| stats count by extensions
| fields - count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2023 02:48 PM

mvexpand should work

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| table extensions
| mvexpand extensions

Do you get an error?

Alternatively, you could try this

index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions"
| fields extensionAttribute.name, computer_meta.assignedUser
| rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n"
| stats count by extensions
| fields - count
0 Karma
Reply
Solved! Jump to solution

daveywfii
Explorer
‎01-25-2023 04:11 PM

The mvexpand doesn't work. No errors, but it doesn't return anything.  Your second suggestion inexplicably did  work, but I don't understand why. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...