Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Raw data only parsing the first instance

praddasg
Path Finder
‎03-26-2020 08:10 PM

Hello All,

I have a data like this

X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]

Now when I am using the query <search criteria> | table status, reason it is giving values "X" and "Y"
1. Trying to understand why it is not considering the values Z & Y and xyz & abc
2. If I have to get the result of values Z & Y and xyz & abc how to retrieve?

0 Karma
Reply

to4kawa
Ultra Champion
‎03-28-2020 04:09 PM

sample query:

| makeresults
| eval _raw="service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]"
| rex max_match=0 "status=(?<status>\w+), reason=(?<reason>\w+)"
| table status reason
| eval _counter = mvrange(0,mvcount(status))
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| fields - _*

recommend:

<search criteria> 
| rex max_match=0 "status=(?<status>\w+), reason=(?<reason>\w+)"
| fields status reason
| eval _counter = mvrange(0,mvcount(status))
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| fields - _*
| table status, reason
0 Karma
Reply

praddasg
Path Finder
‎03-28-2020 04:16 PM

Hello @to4kawa
It is still giving me values "X" and "Y"

0 Karma
Reply

to4kawa
Ultra Champion
‎03-28-2020 04:56 PM

use where OR search

0 Karma
Reply

praddasg
Path Finder
‎03-28-2020 05:50 PM

I am only using where but still the same

0 Karma
Reply

to4kawa
Ultra Champion
‎03-28-2020 07:43 PM

I see, your query is wrong

0 Karma
Reply

praddasg
Path Finder
‎03-30-2020 06:34 PM

Hi @to4kawa
can you please explain a bit more when you say the query is wrong? What I meant above is in the complete query I am not using search instead using where

service
| where not reason like "%P%"
|table status, reason

0 Karma
Reply

to4kawa
Ultra Champion
‎03-31-2020 02:27 PM 
| where not reason like "%P%"

This can't work.
where "%P%" come from?
Don't you select NOT (status="X" AND reason="Y")?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-27-2020 06:00 AM

What is <search criteria>?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

praddasg
Path Finder
‎03-28-2020 07:22 AM

Hi @richgalloway the raw data is like service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]

and my <search criteria> is service

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...