- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how can i get two different events individually wh...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am using splunk to get the logs. we build a data base where 2 or 3 log events are separated by pipe "|" and tagged to single number in data base. while searching for those events for todays occurence, i am getting the first event only, as i am using first of RAW. How to get all the events tagged to that number, if they occur for today
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you look tried looking into the split command?
index=your_index sourcetype=your_sourcetype | eval regexes = split(_raw, "|") | eval regex1=mvindex(regexes,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you look tried looking into the split command?
index=your_index sourcetype=your_sourcetype | eval regexes = split(_raw, "|") | eval regex1=mvindex(regexes,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you Ryanoconnor. its working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of first(_raw), try values(_raw) or list(_raw)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Sundaresh,
i am so thank full for your suggestions. But they are not satisfying my case. please find the below scenario as an example.
example: "regex1|regex2|regex3"
i want to get first instance of regex1 or 2 or 3 or any two or all three(multiple events in the pattern) of the above pattern as they occurred in today's data.
i am using "|stats value (event_pattern) as "unique event", first (_raw) as sample data|"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide a sample event and your current search query?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
example: "regex1|regex2|regex3"
i want to get first instance of regex1 or 2 or 3 or all three(multiple events in the pattern) of the above pattern as they occurred in today's data.
i am using "|stats value (event_pattern) as "unique event", first (_raw) as sample data|"
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
