Solved: question involving breaking out multiple multivalu...

kmaron · ‎03-05-2018

I'm having issues trying to break out individual events that are combined into multi-value fields

When I do a table on my fields I get this: one time entry then multiple values for name, entity, type and serverity.

_time           name                    entity           type                          severity
3/2/2018 11:28  High Load              CaseService      BUSINESS_TRANSACTION           CRITICAL
                Exceptions per Minute   Mainframe       APPLICATION_COMPONENT         CRITICAL
                High Response Time    /app/Quoting      BUSINESS_TRANSACTION           CRITICAL
                High Load              /app/Quoting     BUSINESS_TRANSACTION           WARNING
                High Response Time    RetrieveWorkItem  BUSINESS_TRANSACTION        CRITICAL
                High Load              Online             BUSINESS_TRANSACTION          WARNING
                Server Time          thing.do           APPLICATION_DIAGNOSTIC_DATA WARNING

What I want is each line/group of name, entity, type and severity to be an event with the same _time. Is this possible?

DalJeanis · ‎03-07-2018

Try this...

| eval zipped= mvzip(mvzip(mvzip(name,entity,"!!!!!entity="),type,"!!!!!type="),severity,"!!!!!severity=")
| mvexpand zipped
| fields _time zipped
| mvexpand zipped
| rex field=zipped "^(?<name>.*)!!!!!entity=(?<entity>.*)!!!!!type=(?<type>.*)!!!!!severity=(?<severity>.*)$"

The "!!!!!" delimiter is my own favorite, since it almost never appears in real data. Using commas or semicolons or dashes might accidentally split a field.

View solution in original post

DalJeanis · ‎03-07-2018

Try this...

| eval zipped= mvzip(mvzip(mvzip(name,entity,"!!!!!entity="),type,"!!!!!type="),severity,"!!!!!severity=")
| mvexpand zipped
| fields _time zipped
| mvexpand zipped
| rex field=zipped "^(?<name>.*)!!!!!entity=(?<entity>.*)!!!!!type=(?<type>.*)!!!!!severity=(?<severity>.*)$"

The "!!!!!" delimiter is my own favorite, since it almost never appears in real data. Using commas or semicolons or dashes might accidentally split a field.

kmaron · ‎03-08-2018

That worked beautifully! You just made y day! Thank you!!!!!

richgalloway · ‎03-05-2018

Can you share the search that got you these results?
Have you tried mvexpand?

---
If this reply helps you, Karma would be appreciated.

kmaron · ‎03-05-2018

I can only seem to mvexpand one field. so if I mvexpand Name I can get one event for each Name but then the full list of entity, type and severity all exist for every name.

here's my search:
index=appd source=healthrule_violations application_name="PROD"
| spath healthrule_violations{}.name
| rename healthrule_violations{}.name AS name
| spath healthrule_violations{}.affectedEntityDefinition.name
| rename healthrule_violations{}.affectedEntityDefinition.name AS entity
| spath healthrule_violations{}.affectedEntityDefinition.entityType
| rename healthrule_violations{}.affectedEntityDefinition.entityType as type
| spath healthrule_violations{}.severity
| rename healthrule_violations{}.severity as severity
| table _time description name entity type severity

question involving breaking out multiple multivalue fields into events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation