Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to generate search result of the row in an event containing multivalue fields that match a pattern in one of the fields?

ricotries
Communicator
‎03-11-2020 08:15 AM

I am experimenting with events that generate data in a tabular manner and I want to create a historical graph of data from events with multivalue fields. As a test, I am logging the output of "df -hP" as a single event every few hours. The output looks like:

/dev/mapper/vg_1-lv_home      59G   52M   56G   1%   /home   
/dev/sda1      477M  40M   412M   9%  /boot  
tmpfs      24G   0   24G   0%   /dev/shm
<...>

I want to be able to extract all the fields per row by simply matching one field (the first, which equals 'device'). I know that you can do the following search:

source="df -Ph" 
| eval var1=mvindex(device, 0)
| eval ...
...
| table var1, ...

But this approach involves already knowing the order of the output to know which device you're selecting, which will not always be the case.

Is there a way to do what I'm trying to do?

NOTE:
I have already set up props/transforms to do multivalue search-time extraction. What I'm trying to do now is "extract" or output only the rows that match a search for the device name (first column).
Example (pseudocode):

if (device == /dev/sda1)
then
    get device.row
    print all fields in device.row
fi
Labels (1)
Labels
0 Karma
Reply

codebuilder
Influencer
‎03-16-2020 03:52 PM

Use mvexpand on the field you are searching against, and pipe your results to search for a specific value. (Note: you can only use mvexpand on a single field, but this should resolve it for you).

https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Mvexpand

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

niketn
Legend
‎03-11-2020 09:03 AM

@ricotries if we do not know the sequence, we would have to know the pattern to use Regular Expression. Please add more details with sample values (mock up any sensitive information before posting on Splunk Answers) for the community to assist you better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...