Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with SPL Splunk part 2

uagraw01
Motivator
‎10-20-2022 11:37 PM

To provide further from yesterday's SPL query. I am facing huge events in multivalues. I want to break in a single event. How can I achieve it.

My current events are look like as below.

uagraw01_0-1666334392521.png

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-20-2022 11:54 PM

HI @uagraw01,

let me better understand you need:

you have al these long error messages and you have them in a multivalue,you want to have each of them in a single event, is it correct?

Anyway, the method to transform a multivale in single events is mvexpand command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Mvexpand).

If you could share your final search I could be more precise in mvexpand use.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...