Splunk Search

how can i get two different events individually where both are separated by pipe "|" in the splunk data base.

annamareddi
New Member

i am using splunk to get the logs. we build a data base where 2 or 3 log events are separated by pipe "|" and tagged to single number in data base. while searching for those events for todays occurence, i am getting the first event only, as i am using first of RAW. How to get all the events tagged to that number, if they occur for today

Tags (2)
0 Karma
1 Solution

ryanoconnor
Builder

Have you look tried looking into the split command?

index=your_index sourcetype=your_sourcetype | eval regexes = split(_raw, "|") | eval regex1=mvindex(regexes,0)

View solution in original post

ryanoconnor
Builder

Have you look tried looking into the split command?

index=your_index sourcetype=your_sourcetype | eval regexes = split(_raw, "|") | eval regex1=mvindex(regexes,0)

annamareddi
New Member

thank you Ryanoconnor. its working

0 Karma

sundareshr
Legend

Instead of first(_raw), try values(_raw) or list(_raw)

0 Karma

annamareddi
New Member

hi Sundaresh,
i am so thank full for your suggestions. But they are not satisfying my case. please find the below scenario as an example.

example: "regex1|regex2|regex3"
i want to get first instance of regex1 or 2 or 3 or any two or all three(multiple events in the pattern) of the above pattern as they occurred in today's data.

i am using "|stats value (event_pattern) as "unique event", first (_raw) as sample data|"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Can you provide a sample event and your current search query?

---
If this reply helps you, Karma would be appreciated.
0 Karma

annamareddi
New Member

example: "regex1|regex2|regex3"
i want to get first instance of regex1 or 2 or 3 or all three(multiple events in the pattern) of the above pattern as they occurred in today's data.

i am using "|stats value (event_pattern) as "unique event", first (_raw) as sample data|"

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...