- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Raw data only parsing the first instance
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Raw data only parsing the first instance
Hello All,
I have a data like this
X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]
Now when I am using the query <search criteria> | table status, reason it is giving values "X" and "Y"
1. Trying to understand why it is not considering the values Z & Y and xyz & abc
2. If I have to get the result of values Z & Y and xyz & abc how to retrieve?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample query:
| makeresults
| eval _raw="service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]"
| rex max_match=0 "status=(?<status>\w+), reason=(?<reason>\w+)"
| table status reason
| eval _counter = mvrange(0,mvcount(status))
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| fields - _*
recommend:
<search criteria>
| rex max_match=0 "status=(?<status>\w+), reason=(?<reason>\w+)"
| fields status reason
| eval _counter = mvrange(0,mvcount(status))
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>', _counter)]
| fields - _*
| table status, reason
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @to4kawa
It is still giving me values "X" and "Y"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use where OR search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am only using where but still the same
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see, your query is wrong
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @to4kawa
can you please explain a bit more when you say the query is wrong? What I meant above is in the complete query I am not using search instead using where
service
| where not reason like "%P%"
|table status, reason
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| where not reason like "%P%"
This can't work.
where "%P%" come from?
Don't you select NOT (status="X" AND reason="Y")?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is <search criteria>?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richgalloway the raw data is like service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]
and my <search criteria> is service
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
