how to take multiple lines of single event data au...

prathapkcsc · ‎04-08-2017

My event has like this data
ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47
for this i wrote a query
| makeresults
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

by using above queries perfectly am able to read the values.But the problem is every time i need to copy paste the event data. Is there anyway that even data can be read automatically?

Please anyone can help me?
Thanks in advance

woodcock · ‎04-09-2017

Yes, put | outputscsv SomeFileName.csv on the end and then to get it back, start out your search like this:

|inputcsv SomeFileName.csv ...

You can also use a macro:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Macrosconf

prathapkcsc · ‎04-09-2017

"ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

I want to avoid this manual thing..
splunk has to read this automatically

prathapkcsc · ‎04-09-2017

makeresults
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"
| rex field=allmydata max_match=0 "(?ip = ([\d.]+) , value = (\d+))"
| fields thedata
| mvexpand thedata
| rex field=thedata max_match=0 "ip = (?[\d.]+) , value = (?\d+)"
| table ip value

This is my query...
Wherr can i make changes according to my requirement .

prathapkcsc · ‎04-09-2017

I want to avoid that all event data in eval command

prathapkcsc · ‎04-09-2017

Can you elaborate this?
I cannot understand...
Thank you

woodcock · ‎04-09-2017

Do this first:

| makeresults 
| eval allmydata="ip = 10.60.11.170 , value = 46::ip = 10.60.11.168 , value = 47::ip = 10.60.11.171 , value = 48::ip = 10.60.11.167 , value = 47"
| makemv delim="::" allmydata
| mvexpand allmydata
| outputcsv allmydata.csv

Then do this:

| inputcsv allmydata.csv

Bob's your uncle!

prathapkcsc · ‎04-09-2017

makeresults
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"
| rex field=allmydata max_match=0 "(?ip = ([\d.]+) , value = (\d+))"
| fields thedata
| mvexpand thedata
| rex field=thedata max_match=0 "ip = (?[\d.]+) , value = (?\d+)"
| table ip value

This is my query...
i want to avoid this manual thing everytime
"ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

is there any possiblity,do let me know?
Thank you

prathapkcsc · ‎04-09-2017

allmydata="ip = 10.60.11.170 , value = 46::ip = 10.60.11.168 , value = 47::ip = 10.60.11.171 , value = 48::ip = 10.60.11.167 , value = 47"

I dont want to give all this ip,value manually,splunk has to read automatically.

is it possible?

woodcock · ‎01-16-2019

Sure, but where are you planning to get the IP data? From a DB? Use DBConnect. From a search? Just do it. The makeresults stuff was just my way of manufacturing it out of thin air.

how to take multiple lines of single event data automatically

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies