Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transactions and mvexpand on _raw

dspracklen
Path Finder
‎11-05-2012 10:31 AM

While there was a good question related to my problem, the answers aren't solving my problem.

I need to constrain data to a list of event times for a list of given objects. I can constrain this using transaction and a dedup. This seems to work as best as I can tell. Like with previous questions, I then need to run stats on the events in each transaction to summarize them.

Currently, the relevant bits of my search look like this:
-etc etc etc- | transaction transField mvraw=true | dedup assetID | mvexpand _raw | stats etc etc

The problem is that I can never get mvexpand to recognize that _raw is a valid field. Invariably I get "Field '_raw' does not exist in the data." Replacing mvexpand with a table command shows the field is there, however.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dspracklen
Path Finder
‎11-05-2012 10:56 AM

The advice from sdaniels in his comment worked like a charm. Setting a new field to the value of _raw and then using mvexpand on that works. I'm not sure why _raw was invalid, but perhaps it is a change with version 5 of Splunk.

View solution in original post

Reply
Solved! Jump to solution

Michael
Contributor
‎02-03-2020 07:29 AM

Hmm, with due respect (I know a lot of time has passed -- I'm on v 7.3.3), this might have worked before, but not now.

I'm trying to simply expand out the results of a "df -h" from a text'd output file -- and it's being very reluctant...

0 Karma
Reply
Solved! Jump to solution
Solution

dspracklen
Path Finder
‎11-05-2012 10:56 AM

The advice from sdaniels in his comment worked like a charm. Setting a new field to the value of _raw and then using mvexpand on that works. I'm not sure why _raw was invalid, but perhaps it is a change with version 5 of Splunk.

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎11-05-2012 03:05 PM

Glad i could help. The underscore fields are treated differently in Splunk in general and sometimes you are required to create a new copy of the field to work on it.

Reply
Solved! Jump to solution

dspracklen
Path Finder
‎11-05-2012 10:55 AM

I just gave it a shot and voila, that seems to do the trick. I can't believe I didn't even consider that, but _raw seems to be fine in all other uses. I wonder if it's a change with the new version.

Anyway, thanks for the advice. Time to get back to getting this report into shape!

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎11-05-2012 10:38 AM

Have you tried to create a copy of _raw and then use that in your command. | eval rawCopy = _raw | mvexpand rawCopy | rename rawCopy as _raw

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...