Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to generate search result of the row in an event containing multivalue fields that match a pattern in one of the fields?

ricotries
Communicator
‎03-11-2020 08:15 AM

I am experimenting with events that generate data in a tabular manner and I want to create a historical graph of data from events with multivalue fields. As a test, I am logging the output of "df -hP" as a single event every few hours. The output looks like:

/dev/mapper/vg_1-lv_home      59G   52M   56G   1%   /home   
/dev/sda1      477M  40M   412M   9%  /boot  
tmpfs      24G   0   24G   0%   /dev/shm
<...>

I want to be able to extract all the fields per row by simply matching one field (the first, which equals 'device'). I know that you can do the following search:

source="df -Ph" 
| eval var1=mvindex(device, 0)
| eval ...
...
| table var1, ...

But this approach involves already knowing the order of the output to know which device you're selecting, which will not always be the case.

Is there a way to do what I'm trying to do?

NOTE:
I have already set up props/transforms to do multivalue search-time extraction. What I'm trying to do now is "extract" or output only the rows that match a search for the device name (first column).
Example (pseudocode):

if (device == /dev/sda1)
then
    get device.row
    print all fields in device.row
fi
Labels (1)
Labels
0 Karma
Reply

codebuilder
SplunkTrust
SplunkTrust
‎03-16-2020 03:52 PM

Use mvexpand on the field you are searching against, and pipe your results to search for a specific value. (Note: you can only use mvexpand on a single field, but this should resolve it for you).

https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Mvexpand

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

niketn
Legend
‎03-11-2020 09:03 AM

@ricotries if we do not know the sequence, we would have to know the pattern to use Regular Expression. Please add more details with sample values (mock up any sensitive information before posting on Splunk Answers) for the community to assist you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...