Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how can i get two different events individually where both are separated by pipe "|" in the splunk data base.

annamareddi
New Member
‎07-28-2016 05:59 AM

i am using splunk to get the logs. we build a data base where 2 or 3 log events are separated by pipe "|" and tagged to single number in data base. while searching for those events for todays occurence, i am getting the first event only, as i am using first of RAW. How to get all the events tagged to that number, if they occur for today

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-29-2016 04:32 AM

Have you look tried looking into the split command?

index=your_index sourcetype=your_sourcetype | eval regexes = split(_raw, "|") | eval regex1=mvindex(regexes,0)

View solution in original post

Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-29-2016 04:32 AM

Have you look tried looking into the split command?

index=your_index sourcetype=your_sourcetype | eval regexes = split(_raw, "|") | eval regex1=mvindex(regexes,0)

Reply
Solved! Jump to solution

annamareddi
New Member
‎08-02-2016 09:20 PM

thank you Ryanoconnor. its working

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-28-2016 02:34 PM

Instead of first(_raw), try values(_raw) or list(_raw)

0 Karma
Reply
Solved! Jump to solution

annamareddi
New Member
‎07-28-2016 11:13 PM

hi Sundaresh,
i am so thank full for your suggestions. But they are not satisfying my case. please find the below scenario as an example.

example: "regex1|regex2|regex3"
i want to get first instance of regex1 or 2 or 3 or any two or all three(multiple events in the pattern) of the above pattern as they occurred in today's data.

i am using "|stats value (event_pattern) as "unique event", first (_raw) as sample data|"

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2016 07:47 AM

Can you provide a sample event and your current search query?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

annamareddi
New Member
‎07-28-2016 11:09 PM

example: "regex1|regex2|regex3"
i want to get first instance of regex1 or 2 or 3 or all three(multiple events in the pattern) of the above pattern as they occurred in today's data.

i am using "|stats value (event_pattern) as "unique event", first (_raw) as sample data|"

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...