Splunk Search

How to make a table with multiple multivalue fields?

aadrian
Engager

I need to make a table with some information from events.

my event looks like:

[timestamp][some info]

[function_name_1][id_1][param_1][result_1]

[function_name_2][id_2][param_2][result_2]

[function_name_3][id_3][param_3][result_3]

...

[function_name_n][id_n][param_n][result_n]

Because my regexp only found the first occurance of the fields(function_name,id,param,result) so I used MV_ADD for all multivalue fields and now it finds all occurences.

My table should looks like:

index |timestamp |some_info |function_name |id |param |result

1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1

2 |timestamp |some_info |function_name_2|id_2 |param_2|result_2

3 |timestamp |some_info |function_name_3|id_3 |param_3|result_3

4 |timestamp |some_info |function_name_4|id_4 |param_4|result_4

problem is with multivalue fields, for the last 4 column in one record I've got couple values and my table looks like:

index |timestamp |some_info |function_name |id |param |result

1 |timestamp |some_info |function_name_1|id_1|param_1|result_1

| | |function_name_2|id_2|param_2|result_2

| | |function_name_3|id_3|param_3|result_3

| | |function_name_4|id_4|param_4|result_4

2 |timestamp |some_info |function_name_1|id_1 |param_1|result_1

| | |function_name_2|id_2 |param_2|result_2

| | |function_name_3|id_3 |param_3|result_3

| | |function_name_4|id_4 |param_4|result_4

I read about mvexpand command but it doesn't work good with multiple multivalue fields.
after mvcommand for all multivalue fields I've got:

index |timestamp |some_info |function_name |id |param |result

1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1

2 |timestamp |some_info |function_name_1|id_1 |param_1|result_2

3 |timestamp |some_info |function_name_1|id_1 |param_1|result_3

4 |timestamp |some_info |function_name_1|id_1 |param_1|result_4

5 |timestamp |some_info |function_name_1|id_1 |param_2|result_1

6 |timestamp |some_info |function_name_1|id_1 |param_2|result_2

7 |timestamp |some_info |function_name_1|id_1 |param_2|result_3

8 |timestamp |some_info |function_name_1|id_1 |param_2|result_4

9 |timestamp |some_info |function_name_1|id_1 |param_3|result_1

10 |timestamp |some_info |function_name_1|id_1 |param_3|result_2

11 |timestamp |some_info |function_name_1|id_1 |param_3|result_3

...

(n-1) |timestamp |some_info |function_name_4|id_4 |param_4|result_3

n |timestamp |some_info |function_name_4|id_4 |param_4|result_4

My last query looks like:

"table _time some_info function_name id param result | mvexpand function_name| mvexpand id|mvexpand param |mvexpand result"

Could any one help me with this situation.

Thanks,

Adrian.

sbsbb
Builder

I would try to use spath, output the result in a field, and do an mvexpand on that...

0 Karma

sbsbb
Builder

I'm not sure to understand your problem, I've done something similar with xml.
In your case, maybe you should extract all information as one field (lets say eField) " |function_name_1|id_1 |param_1|result_1", then mvexpand, and only after that, extract fields out of this eField

0 Karma

disha
Contributor

I have tried that. mvexpand is giving each field as one line as
P_NAME P_value

p1 m1
p2 m2
p3 m3
But I cannot figure out how to do one to one mapping of P_NAME and P_ID as I need to draw a chart like
chart first(P_value) over _time by P_NAME
Please help.
Thanks

0 Karma

disha
Contributor

Did You find any solution..Looks like nobody answering multiple multivalued field.I am stucked with the same.

0 Karma

adityapavan18
Contributor

Hi aadrian,

I am facing a similiar situation, have you got a solution to this?? even i am struggling to do the same.

Thnx

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...