cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
wvalente2
Explorer
Member since: ‎04-21-2022
‎03-31-2023
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-21-2022
View All

Re: Parse multivalued field to every line

by in Splunk Enterprise
‎12-13-2022 03:19 AM
‎12-13-2022 03:19 AM
The first query work perfectly. I'll try here the final query that I want. Thank you. ... View more

How to parse multivalued field to every line?

by in Splunk Enterprise
‎12-12-2022 09:44 AM
‎12-12-2022 09:44 AM
Hello Splunkers. I need help regarding a field with multiple values that must be separated. I have the following log in the following format: PostureReport Policy_Umbrella;Passed Policy_DLP;Passed Policy_Kaspersky;Passed Policy_Domain;Passed Policy_SCCM;Passed Police_Firewall_Windows;Failed Policy_Crownstrike;Passed I need to separate every Policy with your status. I tried to use mvindex, mvjoin and them separate the events, mvexpand, but none of these worked for me.   Thank you.     ... View more
Labels

Re: Multivalued fields with fields missing in each...

by in Splunk Search
‎04-22-2022 04:49 AM
‎04-22-2022 04:49 AM
@ITWhisperer  This works like a charm. Thank you so much. Just one more question. When I ran the query you proposed, the 'ServerRule' field presents the values in JSON format. (This format is shown in the raw log). I tried to parse the values with 'spath' but no success at all. Is there a way to parse this field as well without affecting the results that we achieve? ServerRule {"ID": XX,"IDx":"XX","ExecutionSequence":XX,"Level":XX,"StateFlags":XX,"UserFlags":XX,"Condition":{"Restrictions":[{"Values":[{"PropTag":{},"PropType":XX,"Value":XX,"RawValue":XX},{"PropTag":{},"PropType":XX,"Value":"XX"},{"PropTag":{},"PropType":31,"Value":"XX","RawValue":"XX Thank you for your help. ... View more

Why do results from extraction of multivalued fiel...

by in Splunk Search
‎04-21-2022 07:27 AM
‎04-21-2022 07:27 AM
Hi all, I need your help with a query to extract the values of fields with multiple values. The problem I'm facing is that not every JSON structure has the two values that I need to extract (Name and Value). Below is an example of the log: "OperationProperties": [{ "Name": "Actions", "Value": "XX" }, { "Name": "Conditions", "Value": "XX" }, { "Name": "Provider", "Value": "XX" }, { "Name": "RemoveOutlookRuleBlob" }, { "Name": "Name", "Value": "XX" }, { "Name": "IsNew" }, { "Name": "IsDirty", "Value": "XX" }, { "Name": "RuleOperation", "Value": "XX" }, { "Name": "ServerRule", "Value": "XX" }], The fields 'Name: IsNew' and 'Name:RemoveOutlookRuleBlob' do not have the corresponding 'Value:' field. I tried the following search, but I noticed that when the 'Value' field doesn't exist, it aggregates with the next available 'Value' field. base search.... | spath path=OperationProperties{}.Name output=Name | spath path=OperationProperties{}.Value output=Value | eval temp=mvzip(Name, Value) | table Name Value, temp temp Actions,ForwardToRecipientsAction Conditions,SentToRecipientsCondition,FromRecipientsCondition Provider,RuleOrganizer RemoveOutlookRuleBlob,XXX Name,True IsNew,Delete IsDirty, XX *The 'IsNew' field does not have 'True' value, as you can see in the first image. My final search will looks like this after I correct the Name=Value. base search... | spath path=OperationProperties{}.Name output=Name | spath path=OperationProperties{}.Value output=Value | eval temp=mvzip(Name, Value) | mvexpand temp | eval Name=mvindex(split(temp,","),0), Value=mvindex(split(temp,","),1), Value=mvindex(split(temp,","),2) | eval {Name}=Value | stats values(*) as * by _time Id Can I have any solutions here? Thank you. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-31-2023 01:56 PM