×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
aadrian
Engager
Member since: ‎06-06-2012
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎06-06-2012
View All

How to make a table with multiple multivalue field...

by in Splunk Search
‎08-10-2012 03:25 AM
1 Karma
‎08-10-2012 03:25 AM
1 Karma
I need to make a table with some information from events. my event looks like: [timestamp][some info] [function_name_1][id_1][param_1][result_1] [function_name_2][id_2][param_2][result_2] [function_name_3][id_3][param_3][result_3] ... [function_name_n][id_n][param_n][result_n] Because my regexp only found the first occurance of the fields(function_name,id,param,result) so I used MV_ADD for all multivalue fields and now it finds all occurences. My table should looks like: index |timestamp |some_info |function_name |id |param |result 1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1 2 |timestamp |some_info |function_name_2|id_2 |param_2|result_2 3 |timestamp |some_info |function_name_3|id_3 |param_3|result_3 4 |timestamp |some_info |function_name_4|id_4 |param_4|result_4 problem is with multivalue fields, for the last 4 column in one record I've got couple values and my table looks like: index |timestamp |some_info |function_name |id |param |result 1 |timestamp |some_info |function_name_1|id_1|param_1|result_1 | | |function_name_2|id_2|param_2|result_2 | | |function_name_3|id_3|param_3|result_3 | | |function_name_4|id_4|param_4|result_4 2 |timestamp |some_info |function_name_1|id_1 |param_1|result_1 | | |function_name_2|id_2 |param_2|result_2 | | |function_name_3|id_3 |param_3|result_3 | | |function_name_4|id_4 |param_4|result_4 I read about mvexpand command but it doesn't work good with multiple multivalue fields. after mvcommand for all multivalue fields I've got: index |timestamp |some_info |function_name |id |param |result 1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1 2 |timestamp |some_info |function_name_1|id_1 |param_1|result_2 3 |timestamp |some_info |function_name_1|id_1 |param_1|result_3 4 |timestamp |some_info |function_name_1|id_1 |param_1|result_4 5 |timestamp |some_info |function_name_1|id_1 |param_2|result_1 6 |timestamp |some_info |function_name_1|id_1 |param_2|result_2 7 |timestamp |some_info |function_name_1|id_1 |param_2|result_3 8 |timestamp |some_info |function_name_1|id_1 |param_2|result_4 9 |timestamp |some_info |function_name_1|id_1 |param_3|result_1 10 |timestamp |some_info |function_name_1|id_1 |param_3|result_2 11 |timestamp |some_info |function_name_1|id_1 |param_3|result_3 ... (n-1) |timestamp |some_info |function_name_4|id_4 |param_4|result_3 n |timestamp |some_info |function_name_4|id_4 |param_4|result_4 My last query looks like: "table _time some_info function_name id param result | mvexpand function_name| mvexpand id|mvexpand param |mvexpand result" Could any one help me with this situation. Thanks, Adrian. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All