- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I have this Splunk SPL:
index=EventViewer source="WinEventLog:Application" SourceName=sample
| table host Name, Description, Location
Name, Description, and Location are all multi value fields that directly corresponds to each other.
Here is the sample for one of the hosts:
Name Description Location
name1 description1 location1
name2 description2 location2
name3 description3 location3
name4 description4 location4
What I am trying to do is show each record for each host in a separate row. I cannot use mvexpand becasue there are millions of events and it causes the results to truncated due to the following warn message:
command.mvexpand: output will be truncated at 35500 results due to excessive memory usage.
I cannot do anything with limits.conf to adjust this memory limit so I need an alternative option to display each record in individual rows.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
| eval combined=mvzip(name,mvzip(location,description,"|"),"|")
| stats count by combined
| eval name=mvindex(split(combined,"|"),0)
| eval location=mvindex(split(combined,"|"),1)
| eval description=mvindex(split(combined,"|"),2)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Name, Description, and Location are all multi value fields that directly corresponds to each other.
Here is the sample for one of the hosts:
Name Description Location
name1 description1 location1
name2 description2 location2
name3 description3 location3
name4 description4 location4
Can you explain how is this sample for ONE of the hosts? Does the above represent one field with five lines, the first line being "Name Description Location"? Or do you mean to say a sample for one of the hosts looks like
| Name | Description | Location |
| Name1 Name2 Name3 Name4 | description1 description2 description3 description4 | location1 location2 location3 location4 |
Or something totally different?
Also, your SPL snippet doesn't show the mvexpand command that causes the memory error. How are you using mvexpand?
Additionally, what is the expected output from the sample, after you clarify how the sample actually look like?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
| eval combined=mvzip(name,mvzip(location,description,"|"),"|")
| stats count by combined
| eval name=mvindex(split(combined,"|"),0)
| eval location=mvindex(split(combined,"|"),1)
| eval description=mvindex(split(combined,"|"),2)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @ITWhisperer , This seems to work. How can I display results where all the names, locations, and descriptions from the same event are displayed together. For example:
| host | _time | Name | Location | Description |
| host1 | 9:06 | Name1 | Location1 | Description1 |
| host1 | 9:06 | Name2 | Location2 | Description2 |
| host2 | 8:02 | Name1 | Location1 | Description1 |
| host2 | 8:02 | Name2 | Location2 | Description2 |
If the event is sent at 9:02 lets say for a specific host. I want to make sure all names, locations, and descriptions are displayed below each other. I hope that makes sense. I would really appreciate your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| sort 0 _time host
