Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mvcombine removes timestamp

Hazel
Communicator
‎08-20-2010 10:48 AM

Hello,

I am doing a query, where I get a multi valued field and I need to append something to each value depending what the value is. I can't find a way to apply a statement to the multiple values, the only thing I can think to do is to expand the field make my change and recombine it. However, when I recombine it, the timestamp _time loses its content and this is a field we need.

The command is:

host=glon19u10329 index="DTS" sourcetype="config" | xpath "//value/with/cfg/serverUrl" outfield=emsName | mvexpand emsName | eval status = if(match(emsName,"tcp://ems-dit*"),"Tier 2", if(match(emsName,"tcp://vsol43a-7801*"), "Tier 2", if(match(emsName, "tcp://vsgl43a-2016*"), "Tier 2", if(match(emsName,"tcp://vhbl31a04103*"), "Tier 2", "Tier 3")))) | strcat emsName ":" status emsName | mvcombine emsName

Before applying the mvcombine, the time stamp shows correctly.

Example

BEFORE:
_time     emsName
19/08/2010 09:00     tcp://ems-dit-eu-uat-1: Tier 2
19/08/2010 09:00     tcp://emsuatdata: Tier 3
....

AFTER (as one event)
_time     emsName
          tcp://ems-dit-eu-uat-1: Tier 2
          tcp://emsuatdata: Tier 3

Any idea why the _time field doesn't make it through the mvcombine?

Thanks Hazel

Tags (3)
Reply

Lowell
Super Champion
‎08-20-2010 01:24 PM

That's weird. Have you tried renaming _time before your mvepand and then rename it back after mvcombine?

For example:

host=glon19u10329 index="DTS" sourcetype="config" | xpath "//value/with/cfg/serverUrl" outfield=emsName | rename _time as keep_time | mvexpand emsName | eval status = if(match(emsName,"tcp://ems-dit*"),"Tier 2", if(match(emsName,"tcp://vsol43a-7801*"), "Tier 2", if(match(emsName, "tcp://vsgl43a-2016*"), "Tier 2", if(match(emsName,"tcp://vhbl31a04103*"), "Tier 2", "Tier 3")))) | strcat emsName ":" status emsName | mvcombine emsName | rename keep_time as _time

Not sure if this will work or not. I know that sometimes _* fields get handled differently so perhaps this trick will get past that.

Reply

steveyz
Splunk Employee
Splunk Employee
‎08-20-2010 06:11 PM

Yes, it is intended behavior. As a rule, we don't use any _* fields in mvcombine. This is because you may often see events that differ only in internal fields that are not shown (i.e. _cd), and then wonder why they weren't combined.

Reply

Hazel
Communicator
‎08-20-2010 05:35 PM

thanks this works as a workaround. Would be interested to know if this is the intended behaviour for the _time field though!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...