Splunk Search

how to take multiple lines of single event data automatically

prathapkcsc
Explorer

My event has like this data
ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47
for this i wrote a query
| makeresults
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

by using above queries perfectly am able to read the values.But the problem is every time i need to copy paste the event data. Is there anyway that even data can be read automatically?

Please anyone can help me?
Thanks in advance

Tags (1)
0 Karma

woodcock
Esteemed Legend

Yes, put | outputscsv SomeFileName.csv on the end and then to get it back, start out your search like this:

|inputcsv SomeFileName.csv ...

You can also use a macro:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Macrosconf

prathapkcsc
Explorer

"ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

I want to avoid this manual thing..
splunk has to read this automatically

0 Karma

prathapkcsc
Explorer

makeresults
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"
| rex field=allmydata max_match=0 "(?ip = ([\d.]+) , value = (\d+))"
| fields thedata
| mvexpand thedata
| rex field=thedata max_match=0 "ip = (?[\d.]+) , value = (?\d+)"
| table ip value

This is my query...
Wherr can i make changes according to my requirement .

0 Karma

prathapkcsc
Explorer

I want to avoid that all event data in eval command

0 Karma

prathapkcsc
Explorer

Can you elaborate this?
I cannot understand...
Thank you

0 Karma

woodcock
Esteemed Legend

Do this first:

| makeresults 
| eval allmydata="ip = 10.60.11.170 , value = 46::ip = 10.60.11.168 , value = 47::ip = 10.60.11.171 , value = 48::ip = 10.60.11.167 , value = 47"
| makemv delim="::" allmydata
| mvexpand allmydata
| outputcsv allmydata.csv

Then do this:

| inputcsv allmydata.csv

Bob's your uncle!

prathapkcsc
Explorer

makeresults
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"
| rex field=allmydata max_match=0 "(?ip = ([\d.]+) , value = (\d+))"
| fields thedata
| mvexpand thedata
| rex field=thedata max_match=0 "ip = (?[\d.]+) , value = (?\d+)"
| table ip value

This is my query...
i want to avoid this manual thing everytime
"ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

is there any possiblity,do let me know?
Thank you

0 Karma

prathapkcsc
Explorer

allmydata="ip = 10.60.11.170 , value = 46::ip = 10.60.11.168 , value = 47::ip = 10.60.11.171 , value = 48::ip = 10.60.11.167 , value = 47"

I dont want to give all this ip,value manually,splunk has to read automatically.

is it possible?

0 Karma

woodcock
Esteemed Legend

Sure, but where are you planning to get the IP data? From a DB? Use DBConnect. From a search? Just do it. The makeresults stuff was just my way of manufacturing it out of thin air.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...