Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Transactions and mvexpand on _raw

dspracklen
Path Finder
‎11-05-2012 10:31 AM

While there was a good question related to my problem, the answers aren't solving my problem.

I need to constrain data to a list of event times for a list of given objects. I can constrain this using transaction and a dedup. This seems to work as best as I can tell. Like with previous questions, I then need to run stats on the events in each transaction to summarize them.

Currently, the relevant bits of my search look like this:
-etc etc etc- | transaction transField mvraw=true | dedup assetID | mvexpand _raw | stats etc etc

The problem is that I can never get mvexpand to recognize that _raw is a valid field. Invariably I get "Field '_raw' does not exist in the data." Replacing mvexpand with a table command shows the field is there, however.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dspracklen
Path Finder
‎11-05-2012 10:56 AM

The advice from sdaniels in his comment worked like a charm. Setting a new field to the value of _raw and then using mvexpand on that works. I'm not sure why _raw was invalid, but perhaps it is a change with version 5 of Splunk.

View solution in original post

Reply
Solved! Jump to solution

Michael
Contributor
‎02-03-2020 07:29 AM

Hmm, with due respect (I know a lot of time has passed -- I'm on v 7.3.3), this might have worked before, but not now.

I'm trying to simply expand out the results of a "df -h" from a text'd output file -- and it's being very reluctant...

0 Karma
Reply
Solved! Jump to solution
Solution

dspracklen
Path Finder
‎11-05-2012 10:56 AM

The advice from sdaniels in his comment worked like a charm. Setting a new field to the value of _raw and then using mvexpand on that works. I'm not sure why _raw was invalid, but perhaps it is a change with version 5 of Splunk.

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎11-05-2012 03:05 PM

Glad i could help. The underscore fields are treated differently in Splunk in general and sometimes you are required to create a new copy of the field to work on it.

Reply
Solved! Jump to solution

dspracklen
Path Finder
‎11-05-2012 10:55 AM

I just gave it a shot and voila, that seems to do the trick. I can't believe I didn't even consider that, but _raw seems to be fine in all other uses. I wonder if it's a change with the new version.

Anyway, thanks for the advice. Time to get back to getting this report into shape!

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎11-05-2012 10:38 AM

Have you tried to create a copy of _raw and then use that in your command. | eval rawCopy = _raw | mvexpand rawCopy | rename rawCopy as _raw

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...