Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

trying to split one event into multiple events

rukshar
Explorer
‎11-01-2024 01:13 PM

Please help me to extract multiple values from one single value.

rukshar_0-1730491613716.png

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2024 05:14 AM

You could try something like this

| eval _raw=body
| multikv forceheader=1

Although you may need to rename the fields afterwards

0 Karma
Reply

rukshar
Explorer
‎11-02-2024 06:40 AM

This is the query i am using in my search. I need my output into mutiple rows.(snippet provided)

 

index=mail "*tanium*"
|spath body
|rex field=body max_match=0 "\"(?<Computer_name>.*)\",\"ACN"
|rex field=body max_match=0 "\"(?<Computer_name1>.*)\",\"\[n"
|rex field=Computer_name1 max_match=0 "(?<Computer_name2>.*)\",\"\[n"
|rex field=body max_match=0 "\,(?<Patch_List_Name1>.*)\"\["
|rex field=Patch_List_Name1 max_match=0 "\"(?<Patch_List_Name>.*)\",\""
|rex field=Patch_List_Name1 max_match=0 "\",\""(?<Compliance_status>.*)\"
|eval Computer_name=mvappend(Computer_name,Computer_name2)
|table Computer_name Compliance_status Patch_List_Name



rukshar_1-1730555096393.png

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-02-2024 11:57 AM

Ok. So you are simply extracting the fields using some predefined "anchor points". You are in for a treat if ever your "constant" parts of your event change.

It would be best if you could - as I said at the beginning - do something with the data as it goes into your system. Without it any searching across your data will be hugely inefficient.

In current situation it would probably be best to extract whole rows, then do mvexpand and then extract single fields from each line. You could do it by "counting" quotes but there's one caveat. It's trivial if you assume your field's contents cannot contain escaped quotes. It's getting a bit tricky if you can have escaped quotes. It's getting annoyingly complicated if you can have escaped quotes and escaped backslashes in your field values,

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-01-2024 02:25 PM

What do you mean by "split"? This is obviously not an event but a result of a search. So adjust your search to not merge all results into multivalued fields (which by the way give you no guarantee that "the same" row from each of those fields correspond to the same event in the original data or whatever data you're summarizing it from).

0 Karma
Reply

rukshar
Explorer
‎11-01-2024 08:24 PM

Hello @PickleRick ,

Yes, this is the search on the basis of email logs which is giving me one result and i need that search to be multivalued not single valued as you can see in my snippet its giving statistics 1 rather than 3131 which is actually there in the data.

LOGS:

rukshar_0-1730517118707.png



I need this 3131 to be spiltted into mutiple rows with my other following fields as shown in the previous screenshot. when i am doing mvexpand Computer_name its coming 3131 but as soon as i am applying other fields its not showing the data.

rukshar_1-1730517345530.png

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-02-2024 03:16 AM

Ouch.

This is a very ugly data.

It's not only unnecessarily complicated and needs a lot of "untangling" to get it parsed properly (so that you cannot write reasonable extractions) it also contains a huge blob of stuff that is effectively separate data points. So if you want to search for just one pf those hosts, you still have to make Splunk dig through whole load of completely irrelevant data.

Additionally, you are doing something to your data because the body field if simply extracted from the json would have just have a long string, not separate fields.

So maybe just post your search as it is. My glass orb is being fixed as we speak.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2024 06:24 AM
Please just post your current query inside code block "</>" button when you write your post.
Then mockup what and how you want too see the result. One picture is usually better than thousand words.
0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
Top