×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mkulicke
Explorer
Member since: ‎10-01-2021
‎02-23-2022
Community Statistics
Posts 7
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎10-01-2021
Activity Feed
View All

Re: How to table a single event field joined with ...

by SplunkTrust in Splunk Search
‎02-22-2022 08:58 PM
‎02-22-2022 08:58 PM
The final table will only match the number of rows returned in the outer search, namely 3 in your example.  You need to return field_2 in the inter search in multivalue before match. More suggestions about supply sample data and test searches: Illustrate sample raw data is preferred to table, even in synthetic form, unless your question concentrates in field manipulation such as stats. If you want to use table, include table head so other people can understand how columns correspond to your explanations, sample searches, etc.  Make sure synthetic data is congruent with test search.  In your example, I assume that "field_A (abcde)" is a value of field_1 aka poid, but it won't match your term \d+.  This makes troubleshooting so much more difficult. Again, I strongly suggest that join be avoided in this use case.  I also spotted an error in my previous illustration. Now that I get some sense of the data, it is easy to correct.   index=soe_app_retail sourcetype="vg:hvlm" source="*prd/vpa*" ("*NumberOfRules*" OR "*upper*") | rex field=_raw "poid=(?<field_1>\d+) | rename message as field_2 | rex "(?<upper>upper)" | eval field_2=if(isnull(upper),null(),field_2) | stats values(field_1) as field_1 values(field_2) as field_2 by uid ``` join values of the two fields by uid ``` | stats count by uid field_1 field_2 ``` one stats rather than two mvexpand ```   Here is the test.  Given raw data uid_A (1234) poid=9876 NumberOfRules uid_A (1234) ... upper ... message=unique_message (first message w/ 1234) uid_A (1234) ... upper ... message=unique_message (second message w/ 1234) uid_A (1234) ... upper ... message=unique_message (third message w/ 1234) uid_B (5678) poid=5432 NumberOfRules uid_B (5678) ... upper ... message=unique_message (first message w/ 5678) uid_B (5678) ... upper ... message=unique_message (second message w/ 5678) uid_B (5678) ... upper ... message=unique_message (third message w/ 5678) The above search will return  uid field_1 field_2 count uid_A (1234) 9876 unique_message (first message w/ 1234) 1 uid_A (1234) 9876 unique_message (second message w/ 1234) 1 uid_A (1234) 9876 unique_message (third message w/ 1234) 1 uid_B (5678) 5432 unique_message (first message w/ 5678) 1 uid_B (5678) 5432 unique_message (second message w/ 5678) 1 uid_B (5678) 5432 unique_message (third message w/ 5678) 1 ... View more

Re: Extract Error Message String

by in Splunk Search
‎10-18-2021 11:56 AM
‎10-18-2021 11:56 AM
Perfect, thank you. I was just having trouble extracting the full sentence with my regex, but this solved it perfectly. ... View more

Re: Extracting a field in quotes with regex

by in Splunk Search
‎10-01-2021 08:58 AM
‎10-01-2021 08:58 AM
Works like a charm, thanks for your help! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-23-2022 01:37 PM
Karma given to
View All