Hi fellow splunkers!
I have a transaction that return case number in several scenarios. That is working perfectly where event has one case number. My chalenge is a application delete bulk function. My query with regex is matcing case number, but is returning all bulk case number in same field.
Query:
... | transaction pid maxspan=1s startswith=eval(match(_raw,"Processing TicketMultiactionController")) endswith=eval(match(_raw,"Completed"))
Output:
jan 15 08:55:02 10.246.31.18 xx[11138]: Processing TicketMultiactionController#update (for 172.18.209.36 at 2018-01-15 08:55:02) [POST] Jan 15 08:55:02 10.246.31.18 xx[11138]: Parameters: {"multiaction_idbox"=>" **344411 344409 344407**", "scope"=>"", "multiaction_markasdeleted"=>"1", "multiaction_owner"=>"", "multiaction_parentticket"=>"", "multiaction_monitor"=>""}
Example: casenr = 344411 344409 344407
How can I change this to "split" this deleted number into one event each ?
Regards
SRD
hey you can try something like this as well
Try this run anywhere search
| makeresults
| eval casenr="344411 344409 344407"
| makemv casenr
| mvexpand casenr
If you want to make use this in your current search
<your_base_Search>| makemv casenr | mvexpand casenr
You need to have a field called casenr
to use with mvexpand
in which this pattern of numbers are there.
Let me know if this helps you!
hey you can try something like this as well
Try this run anywhere search
| makeresults
| eval casenr="344411 344409 344407"
| makemv casenr
| mvexpand casenr
If you want to make use this in your current search
<your_base_Search>| makemv casenr | mvexpand casenr
You need to have a field called casenr
to use with mvexpand
in which this pattern of numbers are there.
Let me know if this helps you!
It`s work perfectly mayurr98 🙂
@steinroardahl, Try the following:
<YourCurrentSearch>
| eval casenr=split(casenr," ")
| mvexpand casenr
Following is the run anywhere example based on your sample data:
| makeresults
| eval casenr="344411 344409 344407"
| eval casenr=split(casenr," ")
| mvexpand casenr
PS: Also explore feasibility of use of stats
instead of transsaction
for query performance improvement.