Splunk Search

How to split multiply case number in same field?

steinroardahl
Observer

Hi fellow splunkers!

I have a transaction that return case number in several scenarios. That is working perfectly where event has one case number. My chalenge is a application delete bulk function. My query with regex is matcing case number, but is returning all bulk case number in same field.

Query:
... | transaction pid maxspan=1s startswith=eval(match(_raw,"Processing TicketMultiactionController")) endswith=eval(match(_raw,"Completed"))
Output:
jan 15 08:55:02 10.246.31.18 xx[11138]: Processing TicketMultiactionController#update (for 172.18.209.36 at 2018-01-15 08:55:02) [POST] Jan 15 08:55:02 10.246.31.18 xx[11138]: Parameters: {"multiaction_idbox"=>" **344411 344409 344407**", "scope"=>"", "multiaction_markasdeleted"=>"1", "multiaction_owner"=>"", "multiaction_parentticket"=>"", "multiaction_monitor"=>""}

Example: casenr = 344411 344409 344407

How can I change this to "split" this deleted number into one event each ?

Regards
SRD

Tags (1)
0 Karma
1 Solution

mayurr98
Super Champion

hey you can try something like this as well

Try this run anywhere search

| makeresults 
| eval casenr="344411 344409 344407" 
| makemv casenr 
| mvexpand casenr

If you want to make use this in your current search

<your_base_Search>| makemv casenr | mvexpand casenr

You need to have a field called casenr to use with mvexpand in which this pattern of numbers are there.

Let me know if this helps you!

View solution in original post

0 Karma

mayurr98
Super Champion

hey you can try something like this as well

Try this run anywhere search

| makeresults 
| eval casenr="344411 344409 344407" 
| makemv casenr 
| mvexpand casenr

If you want to make use this in your current search

<your_base_Search>| makemv casenr | mvexpand casenr

You need to have a field called casenr to use with mvexpand in which this pattern of numbers are there.

Let me know if this helps you!

0 Karma

steinroardahl
Observer

It`s work perfectly mayurr98 🙂

0 Karma

niketn
Legend

@steinroardahl, Try the following:

<YourCurrentSearch>
| eval casenr=split(casenr," ")
| mvexpand casenr

Following is the run anywhere example based on your sample data:

| makeresults
| eval casenr="344411 344409 344407"
| eval casenr=split(casenr," ")
| mvexpand casenr

PS: Also explore feasibility of use of stats instead of transsaction for query performance improvement.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...