- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to expand multivalue fields?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
is it possible to split-up/expand an event like this?
field1=xyz
field2=xyz
action: [ [-]
{ [-]
action_serial: 63
action_start: 1427365806891
action_name: A
params: { [+]
}
}
{ [-]
action_serial: 64
action_start: 1427365812718
action_name: B
params: { [+]
}
}
{ [-]
action_serial: 65
action_start_utc: 1427365813260
action_name: A
params: { [+]
}
}
{ [-]
action_serial: 66
action_start_utc: 1427365813937
action_name: B
params: { [+]
}
}
{ [-]
action_serial: 67
action_start_utc: 1427365831792
action_name: C
params: { [+]
There are 5 actions in the event. I would like to expand this one event into 5 events, where each event includes only one of the actions.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We decided to adjust the inputformat. Extracting the fields in every search for this sourcetype was way too complicated.
Thanks for your ideas!
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We decided to adjust the inputformat. Extracting the fields in every search for this sourcetype was way too complicated.
Thanks for your ideas!
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried to set up your file in the variable temp as you peus the contacts below to help get out of a aproche what you veus. and t inspireant my example you will find your answer because it was walking home.
try this example:
| gentimes start=-1 | eval
temp="{\"action_serial\":\" 63\",\"action_start\": \"1427365806891\",\"action_name\": \"A\",\"params\": \"{ [+]}\"},{\"action_serial\":\" 64\",\"action_start\": \"1427365812718\",\"action_name\":\" B\",\"params\": \"{ [+]}\"},{\"action_serial\":\" 65\",\"action_start_utc\": \"1427365813260\",\"action_name\": \"A\",\"params\": \"{ [+]}\"},{\"action_serial\": \"66\",\"action_start_utc\": \"1427365813937\",\"action_name\": \"B\",\"params\":\" { [+]}\"}"| table temp | rename temp as _raw | spath |rename action_* as *|rename action_*utc as *|rename params as parametre | eval temp=mvzip(serial,mvzip(start,mvzip(name,parametre,"#"),"#"),"#")| mvexpand temp|table serial start name parametre _raw temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would just do a multi-value field extraction, use a table to transform them into separate rows, then do stats/etc. against the table. i.e.
.... | rex "\naction_serial:\s(?<action_serial>\d+)\naction_start:\s(?<action_start>\d+)\naction_name:\s(?<action_name>\w+)" max_match=0 | table action_serial action_start action_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi try HeinzWaescher
Try this search code
............ | eval oneaction_by_event=mvdedup(mvappend(field1 ,field2,action))|mvexpand oneaction_by_event|table oneaction_by_event
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your post. unfortunately this approach doesn't show the needed results
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
