- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I table 3 distinct values within the same e...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
In my log, I have the same name field for three distinct values in the same event. For example:
...
Security ID:Joseph Security ID:Admin Security ID:Lopes
..
When I use the search:
... | table Security_ID
Splunk shows me:
(2 events)
Security ID
Joseph
Admin
Lopes
...
John
Felippe
Brian
How cCan I distinguish this information on three distinct fields in a search? I tried to create field extractions, but the log has a lot of data and my sample does not appear by entire.
Security ID
Joseph (field 1)
Admin (field 2)
Lopes (field 3)
...
John (field 1)
Felippe (field 2)
Brian (field 3)
Best regards,
Lopes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a runanywhere example of how you can do this
| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | nomv id | table id
If you wan them as separate fields you could do this
| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | eval f1=mvindex(id, 0) | eval f2=mvindex(id, 1) | eval f3=mvindex(id, 2) | table f1 f2 f3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a runanywhere example of how you can do this
| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | nomv id | table id
If you wan them as separate fields you could do this
| gentimes start=-1 | eval _raw="Security ID:Joseph Security ID:Admin Security ID:Lopes" | rex max_match=3 "ID:(?<id>\w+)" | eval f1=mvindex(id, 0) | eval f2=mvindex(id, 1) | eval f3=mvindex(id, 2) | table f1 f2 f3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a generic way to do without writing the values of the lines? I have a lot of event values in the same search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked perfectly!
Thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @monteirolopes
Glad you were able to find a solution on Answers from @sundareshr 🙂 Please don't forget to resolve the post by clicking "Accept" directly below his answer. This will make it easier to find for other users with a similar issue. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I understand. This is is runanywhere example. When you use it, you will ignore everthing before the rex command. The rex is a generic regular expression that will extract as long as the field name ends with "ID:" and the values are single word values. If there could be more than 3 fields, you can change the max_match to whatever number you think you need. Setting max_match to 0 will yield unlimited matches in a single event.
As far as the mvindex function is concerned, not sure there is a generic way to do that.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
