Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

trying to split one event into multiple events

rukshar
Explorer
‎11-01-2024 01:13 PM

Please help me to extract multiple values from one single value.

rukshar_0-1730491613716.png

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2024 05:14 AM

You could try something like this

| eval _raw=body
| multikv forceheader=1

Although you may need to rename the fields afterwards

0 Karma
Reply

rukshar
Explorer
‎11-02-2024 06:40 AM

This is the query i am using in my search. I need my output into mutiple rows.(snippet provided)

 

index=mail "*tanium*"
|spath body
|rex field=body max_match=0 "\"(?<Computer_name>.*)\",\"ACN"
|rex field=body max_match=0 "\"(?<Computer_name1>.*)\",\"\[n"
|rex field=Computer_name1 max_match=0 "(?<Computer_name2>.*)\",\"\[n"
|rex field=body max_match=0 "\,(?<Patch_List_Name1>.*)\"\["
|rex field=Patch_List_Name1 max_match=0 "\"(?<Patch_List_Name>.*)\",\""
|rex field=Patch_List_Name1 max_match=0 "\",\""(?<Compliance_status>.*)\"
|eval Computer_name=mvappend(Computer_name,Computer_name2)
|table Computer_name Compliance_status Patch_List_Name



rukshar_1-1730555096393.png

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-02-2024 11:57 AM

Ok. So you are simply extracting the fields using some predefined "anchor points". You are in for a treat if ever your "constant" parts of your event change.

It would be best if you could - as I said at the beginning - do something with the data as it goes into your system. Without it any searching across your data will be hugely inefficient.

In current situation it would probably be best to extract whole rows, then do mvexpand and then extract single fields from each line. You could do it by "counting" quotes but there's one caveat. It's trivial if you assume your field's contents cannot contain escaped quotes. It's getting a bit tricky if you can have escaped quotes. It's getting annoyingly complicated if you can have escaped quotes and escaped backslashes in your field values,

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-01-2024 02:25 PM

What do you mean by "split"? This is obviously not an event but a result of a search. So adjust your search to not merge all results into multivalued fields (which by the way give you no guarantee that "the same" row from each of those fields correspond to the same event in the original data or whatever data you're summarizing it from).

0 Karma
Reply

rukshar
Explorer
‎11-01-2024 08:24 PM

Hello @PickleRick ,

Yes, this is the search on the basis of email logs which is giving me one result and i need that search to be multivalued not single valued as you can see in my snippet its giving statistics 1 rather than 3131 which is actually there in the data.

LOGS:

rukshar_0-1730517118707.png



I need this 3131 to be spiltted into mutiple rows with my other following fields as shown in the previous screenshot. when i am doing mvexpand Computer_name its coming 3131 but as soon as i am applying other fields its not showing the data.

rukshar_1-1730517345530.png

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-02-2024 03:16 AM

Ouch.

This is a very ugly data.

It's not only unnecessarily complicated and needs a lot of "untangling" to get it parsed properly (so that you cannot write reasonable extractions) it also contains a huge blob of stuff that is effectively separate data points. So if you want to search for just one pf those hosts, you still have to make Splunk dig through whole load of completely irrelevant data.

Additionally, you are doing something to your data because the body field if simply extracted from the json would have just have a long string, not separate fields.

So maybe just post your search as it is. My glass orb is being fixed as we speak.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2024 06:24 AM
Please just post your current query inside code block "</>" button when you write your post.
Then mockup what and how you want too see the result. One picture is usually better than thousand words.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...