Solved: Re: extract a multiline field value into multiple ...

yashaswinig2210 · ‎12-21-2020

Hi,

I have a query which gives GroupName and its members in the below format

GroupName member
Domain Admins CN=firstname1\, lastname1 P0,OU=P0-Accounts,OU=test OU
CN=firstname2\, lastname2 P1,OU=P1-Accounts,OU=test OU
CN=firstname3\, lastname3 P3,OU=P3-Accounts,OU=test OU

And im trying to extract it in multiple events like below seperately for each and every member

GroupName member
Domain Admins CN=firstname1\, lastname1 P0,OU=P0-Accounts,OU=test OU
Domain Admins CN=firstname2\, lastname2 P1,OU=P1-Accounts,OU=test OU
Domain Admins CN=firstname3\, lastname3 P3,OU=P3-Accounts,OU=test OU

renjith_nair · ‎12-21-2020

Does mvexpand work for you?

"your search"
|mvexpand member

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎12-21-2020

Does mvexpand work for you?

"your search"
|mvexpand member

---
What goes around comes around. If it helps, hit it with Karma 🙂

yashaswinig2210 · ‎12-21-2020

@renjith_nair No mvexpand didnt work

renjith_nair · ‎12-21-2020

Ok , so why didn't work, is it not a multi value field? or can you share the search which results in the existing state?

---
What goes around comes around. If it helps, hit it with Karma 🙂

yashaswinig2210 · ‎12-21-2020

Hey thanks now I realised my mistake i have used mvexpand on my lookup so it didnt work and now I tried mvexpand on actual index and sourcetype its working fine

extract a multiline field value into multiple events

Splunk Web Framework

SplunkJS

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?