Splunk Search

Extracted values not showing up in new fields

dannili
Communicator

Hi all, I'm extracting a lists of values from a column called QoEReport but the extracted value does not show up in the new field.

This is my search syntax:

 index="session" 
    | rex "FromIPAddr\":\"(?<FromIPAddr>[^\"]+)\",\"ToIPAddr\"" 
    | rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\"" 
    | rex "PacketLossRate\":\"(?<Stream_1_PacketLossRate>[^\"]+)\",\"PacketLossRateMax\"" 
    | rex "\"RoundTrip\":(?<Stream_1_RoundTrip>\d+).+\"RoundTrip\":(?<Stream_2_RoundTrip>\d+)" 
    | rex "\"JitterInterArrival\":(?<Stream_1_JitterInterArrival>\d+).+\"JitterInterArrival\":(?<Stream_2_JitterInterArrival>\d+)" 
    | rex "\"PacketLossRate\":(?<Stream_1_PacketLossRate>\d+).+\"PacketLossRate\":(?<Stream_2_PacketLossRate>\d+)" 
    | rex "\"OverallAvgNetworkMOS\":(?<OverallAvgNetworkMOS>\d+).+\"OverallAvgNetworkMOS\":(?<OverallAvgNetworkMOS2>\d+)" 
    | table QoEReport,MediaStartTime, StartTime, EndTime, FromUri, ToUri, FromIPAddr,ToIPAddr,Stream_1_PacketLossRate, Stream_1_RoundTrip , Stream_1_JitterInterArrival, Stream_2_PacketLossRate, Stream_2_RoundTrip, Stream_2_JitterInterArrival, OverallAvgNetworkMOS

Do I need more syntax to make it work? Cuz when I test it using eval _raw="field_needs_to_be_searched", it worked perfectly. Does the length of searched field affect the result?

This is part of the one sample raw event:
(as you can see it's relatively long but I'm required not to pre-process data inside the QoEReport column)

Kernel Version 17.5.0: Fri Apr 13 19:32:32 PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64","ToOS":"","FromCPUName":"Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz","ToCPUName":"","FromCPUNumberOfCores":2,"ToCPUNumberOfCores":null,"FromCPUProcessorSpeed":1600,"ToCPUProcessorSpeed":1800,"FromVirtualizationFlag":null,"ToVirtualizationFlag":null,"PossibleDataMissing":false},"MediaLines":[{"MediaLineLabelText":"main-audio","MidCallReport":false,"FromConnectivityIce":"DIRECT","ToConnectivityIce":"","Transport":"UDP","Security":"SRTP","FromPort":50004,"ToPort":52320,"FromRelayIPAddr":"52.113.1.28","ToRelayIPAddr":"52.114.60.71","FromRelayPort":58012,"ToRelayPort":null,"FromCaptureDev":"Built-in Microphone","ToCaptureDev":"","FromCaptureDevDriver":"","ToCaptureDevDriver":"","FromRenderDev":"Built-in Output","ToRenderDev":"","FromRenderDevDriver":"","ToRenderDevDriver":"","FromVPN":false,"ToVPN":false,"FromLinkSpeed":146080000,"ToLinkSpeed":1000000000,"FromNetworkConnectionDetail":"wifi","ToNetworkConnectionDetail":"wired","FromIPAddr":"52.114.60.71","ToIPAddr":"52.114.60.71","FromBssid":null,"ToBssid":null,"FromReflexiveLocalIPAddr":"98.210.208.202","ToReflexiveLocalIPAddr":"10.11.180.137","FromWifiDriverDeviceDesc":"","ToWifiDriverDeviceDesc":"","FromWifiDriverVersion":"","ToWifiDriverVersion":"","FromWifiRSSI":0,"ToWifiRSSI":0,"FromSSID":"","ToSSID":"","FromWifiChannel":0,"ToWifiChannel":0,"FromActivePowerProfile":0,"ToActivePowerProfile":0,"FromWifiHandovers":0,"ToWifiHandovers":0,"FromWifiChannelSwitches":0,"ToWifiChannelSwitches":0,"FromWifiChannelReassociations":0,"ToWifiChannelReassociations":0,"FromWifiRadioFrequency":0,"ToWifiRadioFrequency":0,"FromWifiSignalStrength":0,"ToWifiSignalStrength":0,"PossibleDataMissing":false}],"AudioStreams":[{"JitterInterArrival":10,"JitterInterArrivalMax":24,"PacketLossRate":0.01353227,"PacketLossRateMax":0.09027778,"BurstDensity":null,"BurstDuration":null,"BurstGapDensity":null,"BurstGapDuration":null,"BandwidthEst":25245423,"RoundTrip":520,"RoundTripMax":11099,"PacketUtilization":2843,"RatioConcealedSamplesAvg":0.02746676,"ConcealedRatioMax":0.01598402,"PayloadDescription":"SIREN","AudioSampleRate":16000,"AudioFECUsed":true,"SendListenMOS":null,"OverallAvgNetworkMOS":3.487248,"DegradationAvg":0.2727518,"DegradationMax":0.2727518,"NetworkJitterAvg":253.0633,"NetworkJitterMax":1149.659,"JitterBufferSizeAvg":220,"JitterBufferSizeMax":1211,"PossibleDataMissing":false,"StreamDirection":"FROM-to-TO"},{"JitterInterArrival":10,"JitterInterArrivalMax":24,"PacketLossRate":0.01342051,"PacketLossRateMax":0.09027778,"BurstDensity":null,"BurstDuration":null,"BurstGapDensity":null,"BurstGapDuration":null,"BandwidthEst":2347573,"RoundTrip":721,"RoundTripMax":1703,"PacketUtilization":2906,"RatioConcealedSamplesAvg":0.02746676,"ConcealedRatioMax":null,"PayloadDescription":"SIREN","AudioSampleRate":16000,"AudioFECUsed":true,"SendListenMOS":3.5,"OverallAvgNetworkMOS":null,"DegradationAvg":null,"DegradationMax":null,"NetworkJitterAvg":null,"NetworkJitterMax":null,"JitterBufferSizeAvg":null,"JitterBufferSizeMax":null,"PossibleDataMissing":false,"StreamDirection":"TO-to-FROM"}],"VideoStreams":null,"AudioSignals":[{"PossibleDataMissing":false,"SubmittedByFromUser":true,"SendSignalLevel":-20,"RecvSignalLevel":-14,"SendNoiseLevel":-64,"RecvNoiseLevel":-58,"AudioSpeakerGlitchRate":null,"AudioMicGlitchRate":null,"VsEntryCauses":null,"EchoEventCauses":null,"RecvSignalLevelCh1":-14,"RecvSignalLevelCh2":null,"RecvNoiseLevelCh1":-58,"RecvNoiseLevelCh2":null,"SendSignalLevelCh1":-20,"SendSignalLevelCh2":null,"SendNoiseLevelCh1":-64,"SendNoiseLevelCh2":null,"RenderSignalLevel":0.0,"RenderNoiseLevel":0.0,"RenderLoopbackSignalLevel":null},{"PossibleDataMissing":false,"SubmittedByFromUser":false,"SendSignalLevel":null,"RecvSignalLevel":null,"SendNoiseLevel":null,"RecvNoiseLevel":null,"AudioSpeakerGlitchRate":null,"AudioMicGlitchRate":null,"VsEntryCauses":null,"EchoEventCauses":null,"RecvSignalLevelCh1":null,"RecvSignalLevelCh2":null,"RecvNoiseLevelCh1":null,"RecvNoiseLevelCh2":null,"SendSignalLevelCh1":null,"SendSignalLevelCh2":null,"SendNoiseLevelCh1":null,"SendNoiseLevelCh2":null,"RenderSignalLevel":0.0,"RenderNoiseLevel":0.0,"RenderLoopbackSignalLevel":null}],"AppSharingStreams":null,"FeedBackReports":null,"AudioClientEvents":[{"PossibleDataMissing":false,"SubmittedByFromUser":true,"NetworkSendQualityEventRatio":0.0,"NetworkReceiveQualityEventRatio":0.0,"NetworkDelayEventRatio":0.23,"NetworkBandwidthLowEventRatio":0.0,"CPUInsufficientEventRatio":0.0,"DeviceHalfDuplexAECEventRatio":0.0,"DeviceRenderNotFunctioningEventRatio":0.0,"DeviceCaptureNotFunctioningEventRatio":0.0,"DeviceGlitchesEventRatio":0.0,"DeviceLowSNREventRatio":0.0,"DeviceLowSpeechLevelEventRatio":0.0,"DeviceClippingEventRatio":0.0,"DeviceEchoEventRatio":0.0,"DeviceNearEndToEchoRatioEventRatio":0.0,"DeviceMultipleEndpointsEventCount":0,"DeviceHowlingEventCount":0,"DeviceRenderZeroVolumeEventRatio":0.0,"DeviceRenderMuteEventRatio":0.0},{"PossibleDataMissing":false,"SubmittedByFromUser

Thanks a lot!

0 Karma
1 Solution

FrankVl
Ultra Champion

So you have 2 different formats. The first is tab delimited and the second is key:value pairs on separate lines? Also: the data you're looking for (like FromIPAddr) doesn't exist at all in these sample events?

Not sure how you're ingesting this data, but looks like this may need some work to get it into Splunk properly, before worrying about how to search it? Looks like a large part of your original raw data as you shared it from the source files is not ending up in Splunk.

View solution in original post

0 Karma

dannili
Communicator

alt text

0 Karma

FrankVl
Ultra Champion

So you have 2 different formats. The first is tab delimited and the second is key:value pairs on separate lines? Also: the data you're looking for (like FromIPAddr) doesn't exist at all in these sample events?

Not sure how you're ingesting this data, but looks like this may need some work to get it into Splunk properly, before worrying about how to search it? Looks like a large part of your original raw data as you shared it from the source files is not ending up in Splunk.

0 Karma

dannili
Communicator

For the format I think yes. All these data(FromIPAddr, ToIPAddr...) exists inside each cell from QoEReport column in the original .csv files. To process data in Splunk I usually upload all the csv files to HUE browser first then use summary index (skype_session in this case) to retrieve them.

Seems you're right. Maybe part of the QoERport data did not end up in Splunk successfully. Not sure about the caue tho..

0 Karma

dannili
Communicator

Is it possible each QoEReport cell contains way too much data and that's why they did not end up in Splunk properly? If yes then I need to pre-process data in excel anyway..

0 Karma

FrankVl
Ultra Champion

I'm guessing the CSV import may be messed up because cells also contain commas.

Given that this question started as a request for help with field extractions, and has gotten a bit messy, you might want to start a new question to get help ingesting this data.

In that case, please clearly explain the process you follow to ingest the data (and any relevant splunk config involved) and show good samples of the original data files (with sensitive stuff masked of course).

0 Karma

dannili
Communicator

Okay. Thanks for your help!

0 Karma

dannili
Communicator

onlyindex

This is the only index search screenshot.

0 Karma

dannili
Communicator

@493669 and @FrankVl ,please refer to this pic.
As you can see the QoEReport can display normally itself but when I use rex to extract all these values inside QoEReport column nothing showed up. (StartTime and EndTime are already single columns from the original csv file so they can show up normally)

I use summary index="skype-session" to get all related files.

0 Karma

FrankVl
Ultra Champion

Can you also share a screenshot without the rex and table commands? So just the index search results?

Also: the QoEReport column only contains that specific data which is shown here, or is the display truncated somehow and is all the other info you're trying to extract actually in there?

0 Karma

dannili
Communicator

Yes. Please refer to the answer just posted.

And I believe the QoEReport display is truncated cuz when I view it in the excel file/raw format it includes all data I needed to extract:

Here's one example(one cell fromQoEReport column);

{"Session":{"MediaStartTime":"2018-06-18T19:19:28.109604","MediaEndTime":"2018-06-18T20:27:18.2167839","IsFromReceived":true,"IsToReceived":true,"ConferenceUri":"sip:agnes.ling@oocl.com;gruu;opaque=app:conf:audio-video:id:P2DT3BMZ","MediationServerBypassFlag":false,"FromOS":"Windows 10.0.15063 SP: 0.0 Type: 1(Workstation) Suite: 256 Arch: x64 WOW64: True","ToOS":"","FromCPUName":"Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz","ToCPUName":"","FromCPUNumberOfCores":2,"ToCPUNumberOfCores":null,"FromCPUProcessorSpeed":3696,"ToCPUProcessorSpeed":1800,"FromVirtualizationFlag":1,"ToVirtualizationFlag":null,"PossibleDataMissing":false},"MediaLines":[{"MediaLineLabelText":"main-audio","MidCallReport":false,"FromConnectivityIce":"DIRECT","ToConnectivityIce":"","Transport":"UDP","Security":"SRTP","FromPort":50004,"ToPort":51561,"FromRelayIPAddr":"52.113.1.70","ToRelayIPAddr":"52.113.1.11","FromRelayPort":54119,"ToRelayPort":null,"FromCaptureDev":"Microphone (2- Plantronics C310)","ToCaptureDev":"","FromCaptureDevDriver":"Microsoft: 10.0.15063.502","ToCaptureDevDriver":"","FromRenderDev":"Speakers / Headphones (Realtek Audio)","ToRenderDev":"","FromRenderDevDriver":"Realtek Semiconductor Corp.: 6.0.1.6105","ToRenderDevDriver":"","FromVPN":false,"ToVPN":false,"FromLinkSpeed":100000000,"ToLinkSpeed":1000000000,"FromNetworkConnectionDetail":"wired","ToNetworkConnectionDetail":"wired","FromIPAddr":"146.222.35.166","ToIPAddr":"52.113.1.11","FromBssid":null,"ToBssid":null,"FromReflexiveLocalIPAddr":"61.6.23.62","ToReflexiveLocalIPAddr":"10.11.180.134","FromWifiDriverDeviceDesc":"","ToWifiDriverDeviceDesc":"","FromWifiDriverVersion":"","ToWifiDriverVersion":"","FromWifiRSSI":0,"ToWifiRSSI":0,"FromSSID":"","ToSSID":"","FromWifiChannel":0,"ToWifiChannel":0,"FromActivePowerProfile":0,"ToActivePowerProfile":0,"FromWifiHandovers":0,"ToWifiHandovers":0,"FromWifiChannelSwitches":0,"ToWifiChannelSwitches":0,"FromWifiChannelReassociations":0,"ToWifiChannelReassociations":0,"FromWifiRadioFrequency":0,"ToWifiRadioFrequency":0,"FromWifiSignalStrength":0,"ToWifiSignalStrength":0,"PossibleDataMissing":false}],"AudioStreams":[{"JitterInterArrival":1,"JitterInterArrivalMax":6,"PacketLossRate":6.51364E-06,"PacketLossRateMax":0.004950495,"BurstDensity":0.3888,"BurstDuration":180,"BurstGapDensity":0.0,"BurstGapDuration":349720,"BandwidthEst":17824203,"RoundTrip":21,"RoundTripMax":87,"PacketUtilization":153523,"RatioConcealedSamplesAvg":0.0003472927,"ConcealedRatioMax":0.008,"PayloadDescription":"g722","AudioSampleRate":16000,"AudioFECUsed":false,"SendListenMOS":null,"OverallAvgNetworkMOS":4.28022,"DegradationAvg":0.01978064,"DegradationMax":0.3237314,"NetworkJitterAvg":3.471459,"NetworkJitterMax":137.301,"JitterBufferSizeAvg":54,"JitterBufferSizeMax":230,"PossibleDataMissing":false,"StreamDirection":"FROM-to-TO"},{"JitterInterArrival":1,"JitterInterArrivalMax":6,"PacketLossRate":6.514955E-06,"PacketLossRateMax":0.004950495,"BurstDensity":null,"BurstDuration":null,"BurstGapDensity":null,"BurstGapDuration":null,"BandwidthEst":15743552,"RoundTrip":16,"RoundTripMax":116,"PacketUtilization":153525,"RatioConcealedSamplesAvg":0.0003473656,"ConcealedRatioMax":null,"PayloadDescription":"g722","AudioSampleRate":16000,"AudioFECUsed":false,"SendListenMOS":2.25,"OverallAvgNetworkMOS":null,"DegradationAvg":null,"DegradationMax":null,"NetworkJitterAvg":null,"NetworkJitterMax":null,"JitterBufferSizeAvg":null,"JitterBufferSizeMax":null,"PossibleDataMissing":false,"StreamDirection":"FROM-to-TO"}],"VideoStreams":null,"AudioSignals":[{"PossibleDataMissing":false,"SubmittedByFromUser":true,"SendSignalLevel":-18,"RecvSignalLevel":-17,"SendNoiseLevel":-63,"RecvNoiseLevel":-58,"AudioSpeakerGlitchRate":0,"AudioMicGlitchRate":0,"VsEntryCauses":"POSTAEC ECHO","EchoEventCauses":"ANLP|POSTAEC ECHO","RecvSignalLevelCh1":-17,"RecvSignalLevelCh2":null,"RecvNoiseLevelCh1":-58,"RecvNoiseLevelCh2":null,"SendSignalLevelCh1":-18,"SendSignalLevelCh2":null,"SendNoiseLevelCh1":-63,"SendNoiseLevelCh2":null,"RenderSignalLevel":0.0,"RenderNoiseLevel":0.0,"RenderLoopbackSignalLevel":-19.41677},{"PossibleDataMissing":false,"SubmittedByFromUser":false,"SendSignalLevel":null,"RecvSignalLevel":null,"SendNoiseLevel":null,"RecvNoiseLevel":null,"AudioSpeakerGlitchRate":null,"AudioMicGlitchRate":null,"VsEntryCauses":null,"EchoEventCauses":null,"RecvSignalLevelCh1":null,"RecvSignalLevelCh2":null,"RecvNoiseLevelCh1":null,"RecvNoiseLevelCh2":null,"SendSignalLevelCh1":null,"SendSignalLevelCh2":null,"SendNoiseLevelCh1":null,"SendNoiseLevelCh2":null,"RenderSignalLevel":0.0,"RenderNoiseLevel":0.0,"RenderLoopbackSignalLevel":null}],"AppSharingStreams":null,"FeedBackReports":null,"AudioClientEvents":[{"PossibleDataMissing":false,"SubmittedByFromUser":true,"NetworkSendQualityEventRatio":0.0,"NetworkReceiveQualityEventRatio":0.0,"NetworkDelayEventRatio":0.0,"NetworkBandwidthLowEventRatio":0.0,"CPUInsufficientEventRatio":0.0,"DeviceHalfDuplexAECEventRatio":0.4,"DeviceRenderNotFunctioningEventRatio":0.0,"DeviceCaptureNotFunctioningEventRatio":0.0,"DeviceGlitchesEventRatio":0.0,"DeviceLowSNREventRatio":0.0,"DeviceLowSpeechLevelEventRatio":0.09,"DeviceClippingEventRatio":0.0,"DeviceEchoEventRatio":0.04,"DeviceNearEndToEchoRatioEventRatio":0.0,"DeviceMultipleEndpointsEventCount":0,"DeviceHowlingEventCount":0,"DeviceRenderZeroVolumeEventRatio":0.0,"DeviceRenderMuteEventRatio":0.0},{"PossibleDataMissing":false,"SubmittedByFromUser":false,"NetworkSendQualityEventRatio":null,"NetworkReceiveQualityEventRatio":null,"NetworkDelayEventRatio":null,"NetworkBandwidthLowEventRatio":null,"CPUInsufficientEventRatio":null,"DeviceHalfDuplexAECEventRatio":null,"DeviceRenderNotFunctioningEventRatio":null,"DeviceCaptureNotFunctioningEventRatio":null,"DeviceGlitchesEventRatio":null,"DeviceLowSNREventRatio":null,"DeviceLowSpeechLevelEventRatio":null,"DeviceClippingEventRatio":null,"DeviceEchoEventRatio":null,"DeviceNearEndToEchoRatioEventRatio":null,"DeviceMultipleEndpointsEventCount":0,"DeviceHowlingEventCount":0,"DeviceRenderZeroVolumeEventRatio":null,"DeviceRenderMuteEventRatio":null}],"VideoClientEvents":null,"TraceRoutes":[{"PossibleDataMissing":false,"TraceRouteMediaLineLabelText":"main-audio","SubmittedByFromUser":true,"Hop":0,"IPAddress":"146.222.35.135","RTT":1}]}
0 Karma

FrankVl
Ultra Champion

Can you post some sample data, otherwise it is a bit hard to figure out what may be wrong here.

Also: you mention you want to extract from a column called QoEReport, why not do | rex field = QoEReport "...regex..." then?

0 Karma

dannili
Communicator

@FrankVl as for the proposed solution you mean sth like this? rex field = QoEReport "FromIPAddr\":\"(?<FromIPAddr>[^\"]+)\",\"ToIPAddr\"" But this will lead to error Error in 'rex' command: The regex 'field' does not extract anything. It should specify at least one named group. Format: (?<name>...). As for sample data, please refer to the edited question.

0 Karma

FrankVl
Ultra Champion

That means the QoEReport field does not exist. So as @493669 already suggested: can you please post a screenshot to help us understand?

0 Karma

493669
Super Champion

can you provide your raw event to understand better...

0 Karma

dannili
Communicator

@493669 yeah sure. Please refer to the updated question.

0 Karma

493669
Super Champion

I have edited last regex and it works fine-

| rex "FromIPAddr\":\"(?<FromIPAddr>[^\"]+)\",\"ToIPAddr\"" | rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\"" 
     | rex "PacketLossRate\":\"(?<Stream_1_PacketLossRate>[^\"]+)\",\"PacketLossRateMax\"" 
     | rex "\"RoundTrip\":(?<Stream_1_RoundTrip>\d+).+\"RoundTrip\":(?<Stream_2_RoundTrip>\d+)" 
     | rex "\"JitterInterArrival\":(?<Stream_1_JitterInterArrival>\d+).+\"JitterInterArrival\":(?<Stream_2_JitterInterArrival>\d+)" 
     | rex "\"PacketLossRate\":(?<Stream_1_PacketLossRate>\d+).+\"PacketLossRate\":(?<Stream_2_PacketLossRate>\d+)" 
     | rex "\"OverallAvgNetworkMOS\":(?<OverallAvgNetworkMOS>[^,]+).*\"OverallAvgNetworkMOS\":(?<OverallAvgNetworkMOS2>[^,]+)"
0 Karma

dannili
Communicator

@493669 Sorry I just tried your edited method but still nothing showed up. Also I noticed that if I directly display QoEReport column using table only the first two lines in each cell will show up. Do you think this could be the reason?

0 Karma

493669
Super Champion

the given data is raw data?
if you only try index="session" then result which come is raw data ...is it the same as in question?
as i tried below query which works:

| makeresults |eval _raw="Kernel Version 17.5.0: Fri Apr 13 19:32:32 PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64\",\"ToOS\":\"\",\"FromCPUName\":\"Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz\",\"ToCPUName\":\"\",\"FromCPUNumberOfCores\":2,\"ToCPUNumberOfCores\":null,\"FromCPUProcessorSpeed\":1600,\"ToCPUProcessorSpeed\":1800,\"FromVirtualizationFlag\":null,\"ToVirtualizationFlag\":null,\"PossibleDataMissing\":false},\"MediaLines\":[{\"MediaLineLabelText\":\"main-audio\",\"MidCallReport\":false,\"FromConnectivityIce\":\"DIRECT\",\"ToConnectivityIce\":\"\",\"Transport\":\"UDP\",\"Security\":\"SRTP\",\"FromPort\":50004,\"ToPort\":52320,\"FromRelayIPAddr\":\"52.113.1.28\",\"ToRelayIPAddr\":\"52.114.60.71\",\"FromRelayPort\":58012,\"ToRelayPort\":null,\"FromCaptureDev\":\"Built-in Microphone\",\"ToCaptureDev\":\"\",\"FromCaptureDevDriver\":\"\",\"ToCaptureDevDriver\":\"\",\"FromRenderDev\":\"Built-in Output\",\"ToRenderDev\":\"\",\"FromRenderDevDriver\":\"\",\"ToRenderDevDriver\":\"\",\"FromVPN\":false,\"ToVPN\":false,\"FromLinkSpeed\":146080000,\"ToLinkSpeed\":1000000000,\"FromNetworkConnectionDetail\":\"wifi\",\"ToNetworkConnectionDetail\":\"wired\",\"FromIPAddr\":\"52.114.60.71\",\"ToIPAddr\":\"52.114.60.71\",\"FromBssid\":null,\"ToBssid\":null,\"FromReflexiveLocalIPAddr\":\"98.210.208.202\",\"ToReflexiveLocalIPAddr\":\"10.11.180.137\",\"FromWifiDriverDeviceDesc\":\"\",\"ToWifiDriverDeviceDesc\":\"\",\"FromWifiDriverVersion\":\"\",\"ToWifiDriverVersion\":\"\",\"FromWifiRSSI\":0,\"ToWifiRSSI\":0,\"FromSSID\":\"\",\"ToSSID\":\"\",\"FromWifiChannel\":0,\"ToWifiChannel\":0,\"FromActivePowerProfile\":0,\"ToActivePowerProfile\":0,\"FromWifiHandovers\":0,\"ToWifiHandovers\":0,\"FromWifiChannelSwitches\":0,\"ToWifiChannelSwitches\":0,\"FromWifiChannelReassociations\":0,\"ToWifiChannelReassociations\":0,\"FromWifiRadioFrequency\":0,\"ToWifiRadioFrequency\":0,\"FromWifiSignalStrength\":0,\"ToWifiSignalStrength\":0,\"PossibleDataMissing\":false}],\"AudioStreams\":[{\"JitterInterArrival\":10,\"JitterInterArrivalMax\":24,\"PacketLossRate\":0.01353227,\"PacketLossRateMax\":0.09027778,\"BurstDensity\":null,\"BurstDuration\":null,\"BurstGapDensity\":null,\"BurstGapDuration\":null,\"BandwidthEst\":25245423,\"RoundTrip\":520,\"RoundTripMax\":11099,\"PacketUtilization\":2843,\"RatioConcealedSamplesAvg\":0.02746676,\"ConcealedRatioMax\":0.01598402,\"PayloadDescription\":\"SIREN\",\"AudioSampleRate\":16000,\"AudioFECUsed\":true,\"SendListenMOS\":null,\"OverallAvgNetworkMOS\":3.487248,\"DegradationAvg\":0.2727518,\"DegradationMax\":0.2727518,\"NetworkJitterAvg\":253.0633,\"NetworkJitterMax\":1149.659,\"JitterBufferSizeAvg\":220,\"JitterBufferSizeMax\":1211,\"PossibleDataMissing\":false,\"StreamDirection\":\"FROM-to-TO\"},{\"JitterInterArrival\":10,\"JitterInterArrivalMax\":24,\"PacketLossRate\":0.01342051,\"PacketLossRateMax\":0.09027778,\"BurstDensity\":null,\"BurstDuration\":null,\"BurstGapDensity\":null,\"BurstGapDuration\":null,\"BandwidthEst\":2347573,\"RoundTrip\":721,\"RoundTripMax\":1703,\"PacketUtilization\":2906,\"RatioConcealedSamplesAvg\":0.02746676,\"ConcealedRatioMax\":null,\"PayloadDescription\":\"SIREN\",\"AudioSampleRate\":16000,\"AudioFECUsed\":true,\"SendListenMOS\":3.5,\"OverallAvgNetworkMOS\":null,\"DegradationAvg\":null,\"DegradationMax\":null,\"NetworkJitterAvg\":null,\"NetworkJitterMax\":null,\"JitterBufferSizeAvg\":null,\"JitterBufferSizeMax\":null,\"PossibleDataMissing\":false,\"StreamDirection\":\"TO-to-FROM\"}],\"VideoStreams\":null,\"AudioSignals\":[{\"PossibleDataMissing\":false,\"SubmittedByFromUser\":true,\"SendSignalLevel\":-20,\"RecvSignalLevel\":-14,\"SendNoiseLevel\":-64,\"RecvNoiseLevel\":-58,\"AudioSpeakerGlitchRate\":null,\"AudioMicGlitchRate\":null,\"VsEntryCauses\":null,\"EchoEventCauses\":null,\"RecvSignalLevelCh1\":-14,\"RecvSignalLevelCh2\":null,\"RecvNoiseLevelCh1\":-58,\"RecvNoiseLevelCh2\":null,\"SendSignalLevelCh1\":-20,\"SendSignalLevelCh2\":null,\"SendNoiseLevelCh1\":-64,\"SendNoiseLevelCh2\":null,\"RenderSignalLevel\":0.0,\"RenderNoiseLevel\":0.0,\"RenderLoopbackSignalLevel\":null},{\"PossibleDataMissing\":false,\"SubmittedByFromUser\":false,\"SendSignalLevel\":null,\"RecvSignalLevel\":null,\"SendNoiseLevel\":null,\"RecvNoiseLevel\":null,\"AudioSpeakerGlitchRate\":null,\"AudioMicGlitchRate\":null,\"VsEntryCauses\":null,\"EchoEventCauses\":null,\"RecvSignalLevelCh1\":null,\"RecvSignalLevelCh2\":null,\"RecvNoiseLevelCh1\":null,\"RecvNoiseLevelCh2\":null,\"SendSignalLevelCh1\":null,\"SendSignalLevelCh2\":null,\"SendNoiseLevelCh1\":null,\"SendNoiseLevelCh2\":null,\"RenderSignalLevel\":0.0,\"RenderNoiseLevel\":0.0,\"RenderLoopbackSignalLevel\":null}],\"AppSharingStreams\":null,\"FeedBackReports\":null,\"AudioClientEvents\":[{\"PossibleDataMissing\":false,\"SubmittedByFromUser\":true,\"NetworkSendQualityEventRatio\":0.0,\"NetworkReceiveQualityEventRatio\":0.0,\"NetworkDelayEventRatio\":0.23,\"NetworkBandwidthLowEventRatio\":0.0,\"CPUInsufficientEventRatio\":0.0,\"DeviceHalfDuplexAECEventRatio\":0.0,\"DeviceRenderNotFunctioningEventRatio\":0.0,\"DeviceCaptureNotFunctioningEventRatio\":0.0,\"DeviceGlitchesEventRatio\":0.0,\"DeviceLowSNREventRatio\":0.0,\"DeviceLowSpeechLevelEventRatio\":0.0,\"DeviceClippingEventRatio\":0.0,\"DeviceEchoEventRatio\":0.0,\"DeviceNearEndToEchoRatioEventRatio\":0.0,\"DeviceMultipleEndpointsEventCount\":0,\"DeviceHowlingEventCount\":0,\"DeviceRenderZeroVolumeEventRatio\":0.0,\"DeviceRenderMuteEventRatio\":0.0},{\"PossibleDataMissing\":false,\"SubmittedByFromUser"
 | rex "FromIPAddr\":\"(?<FromIPAddr>[^\"]+)\",\"ToIPAddr\"" | rex "ToIPAddr\":\"(?<ToIPAddr>[^\"]+)\",\"FromBssid\"" 
     | rex "PacketLossRate\":\"(?<Stream_1_PacketLossRate>[^\"]+)\",\"PacketLossRateMax\"" 
     | rex "\"RoundTrip\":(?<Stream_1_RoundTrip>\d+).+\"RoundTrip\":(?<Stream_2_RoundTrip>\d+)" 
     | rex "\"JitterInterArrival\":(?<Stream_1_JitterInterArrival>\d+).+\"JitterInterArrival\":(?<Stream_2_JitterInterArrival>\d+)" 
     | rex "\"PacketLossRate\":(?<Stream_1_PacketLossRate>\d+).+\"PacketLossRate\":(?<Stream_2_PacketLossRate>\d+)" 
     | rex "\"OverallAvgNetworkMOS\":(?<OverallAvgNetworkMOS>[^,]+).*\"OverallAvgNetworkMOS\":(?<OverallAvgNetworkMOS2>[^,]+)"
0 Karma

dannili
Communicator

Yes. I used index ="session" to get the whole csv file and data provided below is from one cell in QoEReport column. As for the solution I also tried and it worked fine, but this is only for one cell, when all cells from the column are different I don't know what to do...

0 Karma

493669
Super Champion

can you please share screen shot of result index ="session" to understand better..

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...