Splunk Search

REX expression for multiple extractions in columns

raby1996
Path Finder

Hello all,

I was hoping I could get a bit of assistance in figuring out a rex expression I could use to extract part numbers that are in column, I have a sample data set below,

part_num      serial_num         type
abc            123                a
bcd            234                a
cde            456                b

Essentially I'm trying to extract all the "part_num" and "serial_num" for "types" of "a", I can extract the first part that matches however I've been unable to figure out how I can extract all fields I need of type a for my events, essentially it would look like this (FYI, I already have the host machine serial number extracted)

rex....
|stats list(part_num) as part_num list(serial_num) as serial_num by host_machine

host_machine.      part_num             serial_num
981-aabbc             abc                    123
                      bcd                    234

and this would display for all my machines. Thank you, and please let me know if there are any questions, I appreciate any help

0 Karma
1 Solution

woodcock
Esteemed Legend

If your "dataset" above a single event that looks exactly like that, then you need multikv:

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Multikv

View solution in original post

woodcock
Esteemed Legend

If your "dataset" above a single event that looks exactly like that, then you need multikv:

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Multikv

raby1996
Path Finder

Yes, your'e right, this looks like it will do the job, thank you.

0 Karma

woodcock
Esteemed Legend

Is your "dataset" above a single event that looks exactly like that?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Your sample data set looks like a CSV file. Is it?

If it is, then wouldn't you want to do a lookup by type to get the part_num and serial_num from the lookup table? That would not require a rex statement at all.

If not, what exactly is the sample data set? And is it in Splunk as an event, or what?

0 Karma

raby1996
Path Finder

No unfortunately this is not csv, (or structured data), essentially this is a large text file, and this data is in tabular format somewhere towards the middle of the file, the easiest way to look at it was if we ran an "ls -t" on a unix server with the headers being at the top, and yes it is in splunk as an event.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...