how to take multiple lines of single event data au...

prathapkcsc · ‎04-08-2017

My event has like this data
ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47
for this i wrote a query
| makeresults
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

by using above queries perfectly am able to read the values.But the problem is every time i need to copy paste the event data. Is there anyway that even data can be read automatically?

Please anyone can help me?
Thanks in advance

woodcock · ‎04-09-2017

Yes, put | outputscsv SomeFileName.csv on the end and then to get it back, start out your search like this:

|inputcsv SomeFileName.csv ...

You can also use a macro:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Macrosconf

prathapkcsc · ‎04-09-2017

"ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

I want to avoid this manual thing..
splunk has to read this automatically

prathapkcsc · ‎04-09-2017

makeresults
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"
| rex field=allmydata max_match=0 "(?ip = ([\d.]+) , value = (\d+))"
| fields thedata
| mvexpand thedata
| rex field=thedata max_match=0 "ip = (?[\d.]+) , value = (?\d+)"
| table ip value

This is my query...
Wherr can i make changes according to my requirement .

prathapkcsc · ‎04-09-2017

I want to avoid that all event data in eval command

prathapkcsc · ‎04-09-2017

Can you elaborate this?
I cannot understand...
Thank you

woodcock · ‎04-09-2017

Do this first:

| makeresults 
| eval allmydata="ip = 10.60.11.170 , value = 46::ip = 10.60.11.168 , value = 47::ip = 10.60.11.171 , value = 48::ip = 10.60.11.167 , value = 47"
| makemv delim="::" allmydata
| mvexpand allmydata
| outputcsv allmydata.csv

Then do this:

| inputcsv allmydata.csv

Bob's your uncle!

prathapkcsc · ‎04-09-2017

makeresults
| eval allmydata="ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"
| rex field=allmydata max_match=0 "(?ip = ([\d.]+) , value = (\d+))"
| fields thedata
| mvexpand thedata
| rex field=thedata max_match=0 "ip = (?[\d.]+) , value = (?\d+)"
| table ip value

This is my query...
i want to avoid this manual thing everytime
"ip = 10.60.11.170 , value = 46
ip = 10.60.11.168 , value = 47
ip = 10.60.11.171 , value = 48
ip = 10.60.11.167 , value = 47"

is there any possiblity,do let me know?
Thank you

prathapkcsc · ‎04-09-2017

allmydata="ip = 10.60.11.170 , value = 46::ip = 10.60.11.168 , value = 47::ip = 10.60.11.171 , value = 48::ip = 10.60.11.167 , value = 47"

I dont want to give all this ip,value manually,splunk has to read automatically.

is it possible?

woodcock · ‎01-16-2019

Sure, but where are you planning to get the IP data? From a DB? Use DBConnect. From a search? Just do it. The makeresults stuff was just my way of manufacturing it out of thin air.

how to take multiple lines of single event data automatically

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!