Alerting

scripted alert providing a results.csv with fields containing underscores

jaoui
Path Finder

My full search is as follows:

index=main node_action action=added | eval ip=if(ip=="0.0.0.0",null(),ip) | eval ip_orig=ip | lookup arp mac_addr | eval ip=if(isnull(ip_orig),ip,ip_orig) | eval ip=if(ip="[UNKNOWN]","",ip) | fields - _raw | fields mac_addr ip mac_type | eval mac_addr=mvjoin(mac_addr,", ") | eval ip=mvjoin(ip, ", ") | eval node_type=mvjoin(node_type, ", ") | rename ip as ip_addr |table mac_addr ip_addr mac_type

but when i unzip results.csv, I see fields with "__mv_" that I would like to exclude from my csv results:

"mac_addr","__mv_mac_addr","ip_addr","__mv_ip_addr","mac_type","__mv_mac_type"

Any ideas how to do that?

0 Karma

ziegfried
Influencer

This is because the mac_addr and ip field contain multiple values (ie. they are multivalue field). You can circumvent this by joining the multivalue fields in your search:

... | eval mac_addr=mvjoin(mac_addr,", ") | eval ip=mvjoin(ip, ", ")

See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

0 Karma

jaoui
Path Finder

I added that to my search but it does not seem to fix my issue...

As my search is contains too many characters, I will add it to my initial question

in the search app, I don't see the additional fields such as "__mv_mac_addr" (even when I do "... | table *" but the results.csv contains them

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...