Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transactions and mvexpand on _raw

dspracklen
Path Finder
‎11-05-2012 10:31 AM

While there was a good question related to my problem, the answers aren't solving my problem.

I need to constrain data to a list of event times for a list of given objects. I can constrain this using transaction and a dedup. This seems to work as best as I can tell. Like with previous questions, I then need to run stats on the events in each transaction to summarize them.

Currently, the relevant bits of my search look like this:
-etc etc etc- | transaction transField mvraw=true | dedup assetID | mvexpand _raw | stats etc etc

The problem is that I can never get mvexpand to recognize that _raw is a valid field. Invariably I get "Field '_raw' does not exist in the data." Replacing mvexpand with a table command shows the field is there, however.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dspracklen
Path Finder
‎11-05-2012 10:56 AM

The advice from sdaniels in his comment worked like a charm. Setting a new field to the value of _raw and then using mvexpand on that works. I'm not sure why _raw was invalid, but perhaps it is a change with version 5 of Splunk.

View solution in original post

Reply
Solved! Jump to solution

Michael
Contributor
‎02-03-2020 07:29 AM

Hmm, with due respect (I know a lot of time has passed -- I'm on v 7.3.3), this might have worked before, but not now.

I'm trying to simply expand out the results of a "df -h" from a text'd output file -- and it's being very reluctant...

0 Karma
Reply
Solved! Jump to solution
Solution

dspracklen
Path Finder
‎11-05-2012 10:56 AM

The advice from sdaniels in his comment worked like a charm. Setting a new field to the value of _raw and then using mvexpand on that works. I'm not sure why _raw was invalid, but perhaps it is a change with version 5 of Splunk.

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎11-05-2012 03:05 PM

Glad i could help. The underscore fields are treated differently in Splunk in general and sometimes you are required to create a new copy of the field to work on it.

Reply
Solved! Jump to solution

dspracklen
Path Finder
‎11-05-2012 10:55 AM

I just gave it a shot and voila, that seems to do the trick. I can't believe I didn't even consider that, but _raw seems to be fine in all other uses. I wonder if it's a change with the new version.

Anyway, thanks for the advice. Time to get back to getting this report into shape!

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎11-05-2012 10:38 AM

Have you tried to create a copy of _raw and then use that in your command. | eval rawCopy = _raw | mvexpand rawCopy | rename rawCopy as _raw

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...