- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- mvexpand query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mvexpand query
I extracted a multivalued field named universal_ip to extract all IPs (whatever it is source or dest) in all events.
One of my event looks like below
12/Mar/2015:13:38:01 +0000] 11.22.33.44 GET /sdffd/sdfsdfh.sdfsdhhf/sdfhsdfhj
If I run the query like this (index=* | mvexpand universal_ip | table _raw) ,it returns the result twice for each event.
For example the above event found twice in my results.
Could you please clarify why mvexpand command gives the result twice. Here single value is found for multivalue field universal_ip.
Then how it returns twice?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, you use a MV field extraction for events that never contain more than 1 IP. That is your problem; get rid of your MV_ADD line and it will work as you expect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you have two active field extraction for the field universal_ip. As per your sample event, I see there is only 1 IP address per event, so not sure why/how a multivalued field extraction is used/setup. Can you run following and check how many field extractions you find for this sourcetype of yours
$Splunk_Home/bin/splunk cmd btool props list YourSoureType
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somesoni,
I need to extract this ip field from all sourcetypes. so I have used default stanza.
Also in this sample event there is only one IP. But in some other events we could find more than one IPs
[default]
REPORT-mvuniveralip = mvuniversalip
[mvuniversalip]
REGEX = (?P\d+.\d+.\d+.\d+)
MV_ADD = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you run following query and tell how many values you get for field universal_ip (basically apply timerange/filter to select just one row mentioned in your sample)
index=* sourcetype=YourSourcetype "More filters" | table _raw, universal_ip | eval count=mvcount(universal_ip)
The count field should match with no of Ips in your _raw event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you clarify your question? I'm not sure what you mean by TIME3 here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have edited my question.Could you pls clarify now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be helpful to show how you are doing the extraction. Can you please show us how you are getting universal_ip out of the event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[default]
REPORT-mvuniveralip = mvuniversalip
[mvuniversalip]
REGEX = (?Pd+.d+.d+.d+)
MV_ADD = 1
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
