- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: question involving breaking out multiple multi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having issues trying to break out individual events that are combined into multi-value fields
When I do a table on my fields I get this: one time entry then multiple values for name, entity, type and serverity.
_time name entity type severity
3/2/2018 11:28 High Load CaseService BUSINESS_TRANSACTION CRITICAL
Exceptions per Minute Mainframe APPLICATION_COMPONENT CRITICAL
High Response Time /app/Quoting BUSINESS_TRANSACTION CRITICAL
High Load /app/Quoting BUSINESS_TRANSACTION WARNING
High Response Time RetrieveWorkItem BUSINESS_TRANSACTION CRITICAL
High Load Online BUSINESS_TRANSACTION WARNING
Server Time thing.do APPLICATION_DIAGNOSTIC_DATA WARNING
What I want is each line/group of name, entity, type and severity to be an event with the same _time. Is this possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this...
| eval zipped= mvzip(mvzip(mvzip(name,entity,"!!!!!entity="),type,"!!!!!type="),severity,"!!!!!severity=")
| mvexpand zipped
| fields _time zipped
| mvexpand zipped
| rex field=zipped "^(?<name>.*)!!!!!entity=(?<entity>.*)!!!!!type=(?<type>.*)!!!!!severity=(?<severity>.*)$"
The "!!!!!" delimiter is my own favorite, since it almost never appears in real data. Using commas or semicolons or dashes might accidentally split a field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this...
| eval zipped= mvzip(mvzip(mvzip(name,entity,"!!!!!entity="),type,"!!!!!type="),severity,"!!!!!severity=")
| mvexpand zipped
| fields _time zipped
| mvexpand zipped
| rex field=zipped "^(?<name>.*)!!!!!entity=(?<entity>.*)!!!!!type=(?<type>.*)!!!!!severity=(?<severity>.*)$"
The "!!!!!" delimiter is my own favorite, since it almost never appears in real data. Using commas or semicolons or dashes might accidentally split a field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked beautifully! You just made y day! Thank you!!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share the search that got you these results?
Have you tried mvexpand?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can only seem to mvexpand one field. so if I mvexpand Name I can get one event for each Name but then the full list of entity, type and severity all exist for every name.
here's my search:
index=appd source=healthrule_violations application_name="PROD"
| spath healthrule_violations{}.name
| rename healthrule_violations{}.name AS name
| spath healthrule_violations{}.affectedEntityDefinition.name
| rename healthrule_violations{}.affectedEntityDefinition.name AS entity
| spath healthrule_violations{}.affectedEntityDefinition.entityType
| rename healthrule_violations{}.affectedEntityDefinition.entityType as type
| spath healthrule_violations{}.severity
| rename healthrule_violations{}.severity as severity
| table _time description name entity type severity
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
