Splunk Search

Only able to extract the first value of a comma separated list for a given field.

morenodelgad1
Explorer

I have data in the following format:

GenericHostName1=vm1,vm2,vm3,vm4;
GenericHostName2=vm5,vm6,vm7;

When I search for GenericHostName1, the only associated value with that field is 'vm1' instead of the whole list of VMs. Splunk is only associating the first value in the comma separated list and I want all of them. How would I go about making a search that will return all of the values in the list and not just the first one? Would it help if I were to change the way my data is originally created?

Thanks in advanced,

-RMD

0 Karma

niketn
Legend

@morenodelgad1, automatic KV mode performs Search Time field discovery based on Key Value pairs separated by equal to sign ( = ). Comma ( , ) is a major segment-er, which means value will not be identified after encountering comma.

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Automatickey-valuefieldextractionsatse...

http://docs.splunk.com/Documentation/Splunk/latest/Search/UseCASEandTERMtomatchphrases

In your case you can create your own Field Extraction using Interactive Field Extraction in Splunk Web from Settings > Fields (Knowledge Objects) > Field extractions

For example for extraction fieldGenericHostName1 you can use your own Regular Expression i.e. GenericHostName1=(?<GenericHostName1>[^;]+) and so on. You can test your Regular Expression/s on regex101.com or let Splunk generate required Regular Expression for you. If you have not used Splunk Interactive Field Extraction before, you can try out following Step By Step documentation: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX

Also you can use rex command in your SPL to test out the Regular Expression in Splunk with your data rather than testing mock/sample data in regex101.com. Following is the run anywhere search for you to try/test out:

|  makeresults
|  eval _raw="GenericHostName1=vm1,vm2,vm3,vm4;"
|  rex "GenericHostName1=(?<GenericHostName1>[^;]+)"
|  makemv GenericHostName1 delim=","

PS: I have used makemv command to convert command separated values to multi-valued field. However you can ignore if you require all values as Single Value (separated by comma as in your data example).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

morenodelgad1
Explorer

Thank you for your response. I was initially told by a teammate that this would easily be handled by Splunk but we quickly realized that it was not. Going to try this and I will update with my results and findings.

0 Karma

niketn
Legend

While I know field extractions will work, you can try out and confirm. If something does not make sure you unaccept this answer so that it flags for other community members as an unanswered question.
There would be a way for you change Splunk’s event segmentation as per your needs and maybe that is what your colleague referred to. However you should weigh in you value (correct field extraction) vs cost (performance). There could be a possibility some other fields pick up additional content as well. So I feel proper field extraction as per your needs is a better option and has better control.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

With a search time field extraction for the given information, you should be able to use something like the following:

... | rex field=yourfield "=(?P<values>.*)" | rex field=values max_match=0 "(?P<hostname>\w+),?" | ...

This is making some assumptions that may not work in your environment, but without knowing more about it, this is what I could come up with. It will result in a multi-value field called hostname that will contain the set of hostnames in the list.

richgalloway
SplunkTrust
SplunkTrust

It will depend on how the data is onboarded. Can you please share the props.conf settings for that sourcetype?

---
If this reply helps you, Karma would be appreciated.
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

At index time (please say yes) or index time? This will make a big difference.

0 Karma

morenodelgad1
Explorer

I believe at Index Time.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...