Splunk Search

question involving breaking out multiple multivalue fields into events

kmaron
Motivator

I'm having issues trying to break out individual events that are combined into multi-value fields

When I do a table on my fields I get this: one time entry then multiple values for name, entity, type and serverity.

_time           name                    entity           type                          severity
3/2/2018 11:28  High Load              CaseService      BUSINESS_TRANSACTION           CRITICAL
                Exceptions per Minute   Mainframe       APPLICATION_COMPONENT         CRITICAL
                High Response Time    /app/Quoting      BUSINESS_TRANSACTION           CRITICAL
                High Load              /app/Quoting     BUSINESS_TRANSACTION           WARNING
                High Response Time    RetrieveWorkItem  BUSINESS_TRANSACTION        CRITICAL
                High Load              Online             BUSINESS_TRANSACTION          WARNING
                Server Time          thing.do           APPLICATION_DIAGNOSTIC_DATA WARNING

What I want is each line/group of name, entity, type and severity to be an event with the same _time. Is this possible?

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Try this...

| eval zipped= mvzip(mvzip(mvzip(name,entity,"!!!!!entity="),type,"!!!!!type="),severity,"!!!!!severity=")
| mvexpand zipped
| fields _time zipped
| mvexpand zipped
| rex field=zipped "^(?<name>.*)!!!!!entity=(?<entity>.*)!!!!!type=(?<type>.*)!!!!!severity=(?<severity>.*)$"

The "!!!!!" delimiter is my own favorite, since it almost never appears in real data. Using commas or semicolons or dashes might accidentally split a field.

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Try this...

| eval zipped= mvzip(mvzip(mvzip(name,entity,"!!!!!entity="),type,"!!!!!type="),severity,"!!!!!severity=")
| mvexpand zipped
| fields _time zipped
| mvexpand zipped
| rex field=zipped "^(?<name>.*)!!!!!entity=(?<entity>.*)!!!!!type=(?<type>.*)!!!!!severity=(?<severity>.*)$"

The "!!!!!" delimiter is my own favorite, since it almost never appears in real data. Using commas or semicolons or dashes might accidentally split a field.

View solution in original post

kmaron
Motivator

That worked beautifully! You just made y day! Thank you!!!!!

richgalloway
SplunkTrust
SplunkTrust

Can you share the search that got you these results?
Have you tried mvexpand?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

kmaron
Motivator

I can only seem to mvexpand one field. so if I mvexpand Name I can get one event for each Name but then the full list of entity, type and severity all exist for every name.

here's my search:
index=appd source=healthrule_violations application_name="PROD"
| spath healthrule_violations{}.name
| rename healthrule_violations{}.name AS name
| spath healthrule_violations{}.affectedEntityDefinition.name
| rename healthrule_violations{}.affectedEntityDefinition.name AS entity
| spath healthrule_violations{}.affectedEntityDefinition.entityType
| rename healthrule_violations{}.affectedEntityDefinition.entityType as type
| spath healthrule_violations{}.severity
| rename healthrule_violations{}.severity as severity
| table _time description name entity type severity

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!