- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- question involving breaking out multiple multivalu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having issues trying to break out individual events that are combined into multi-value fields
When I do a table on my fields I get this: one time entry then multiple values for name, entity, type and serverity.
_time name entity type severity
3/2/2018 11:28 High Load CaseService BUSINESS_TRANSACTION CRITICAL
Exceptions per Minute Mainframe APPLICATION_COMPONENT CRITICAL
High Response Time /app/Quoting BUSINESS_TRANSACTION CRITICAL
High Load /app/Quoting BUSINESS_TRANSACTION WARNING
High Response Time RetrieveWorkItem BUSINESS_TRANSACTION CRITICAL
High Load Online BUSINESS_TRANSACTION WARNING
Server Time thing.do APPLICATION_DIAGNOSTIC_DATA WARNING
What I want is each line/group of name, entity, type and severity to be an event with the same _time. Is this possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this...
| eval zipped= mvzip(mvzip(mvzip(name,entity,"!!!!!entity="),type,"!!!!!type="),severity,"!!!!!severity=")
| mvexpand zipped
| fields _time zipped
| mvexpand zipped
| rex field=zipped "^(?<name>.*)!!!!!entity=(?<entity>.*)!!!!!type=(?<type>.*)!!!!!severity=(?<severity>.*)$"
The "!!!!!" delimiter is my own favorite, since it almost never appears in real data. Using commas or semicolons or dashes might accidentally split a field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this...
| eval zipped= mvzip(mvzip(mvzip(name,entity,"!!!!!entity="),type,"!!!!!type="),severity,"!!!!!severity=")
| mvexpand zipped
| fields _time zipped
| mvexpand zipped
| rex field=zipped "^(?<name>.*)!!!!!entity=(?<entity>.*)!!!!!type=(?<type>.*)!!!!!severity=(?<severity>.*)$"
The "!!!!!" delimiter is my own favorite, since it almost never appears in real data. Using commas or semicolons or dashes might accidentally split a field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked beautifully! You just made y day! Thank you!!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share the search that got you these results?
Have you tried mvexpand?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can only seem to mvexpand one field. so if I mvexpand Name I can get one event for each Name but then the full list of entity, type and severity all exist for every name.
here's my search:
index=appd source=healthrule_violations application_name="PROD"
| spath healthrule_violations{}.name
| rename healthrule_violations{}.name AS name
| spath healthrule_violations{}.affectedEntityDefinition.name
| rename healthrule_violations{}.affectedEntityDefinition.name AS entity
| spath healthrule_violations{}.affectedEntityDefinition.entityType
| rename healthrule_violations{}.affectedEntityDefinition.entityType as type
| spath healthrule_violations{}.severity
| rename healthrule_violations{}.severity as severity
| table _time description name entity type severity
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
