Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a field from multi valued event?

jkirankumar1993
New Member
‎03-02-2018 10:12 AM

Hi,

This is the sample event

GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...

When I use regular expression I am getting the value from the first line but not from the other lines. I want to capture the fields that start after INFO.getCustomFieldValues(): field.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-02-2018 10:44 AM

@jkirankumar1993, you would need to use max_match=0 to fetch multiple values for the multi-valued field extraction using rex command. Try the following run anywhere search based on sample data provided:

| makeresults
| eval _raw="GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was..."
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-02-2018 10:44 AM

@jkirankumar1993, you would need to use max_match=0 to fetch multiple values for the multi-valued field extraction using rex command. Try the following run anywhere search based on sample data provided:

| makeresults
| eval _raw="GA.769:180302:113834:: INFO.PSA: Getting issue for ID: 931778
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Test Fail' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType w...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'AE Testing in Progress' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Activating' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Adding to .Net Website' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'All Sec Incidents (closed)' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Application Certification' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Approvals' of type com.atlassian.servicedesk.plugins.approvals.internal.customfield....
class type: java.util.HashMap
map values: null --> 505 :: NetOps-HR
map values: 1 --> 90109
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'BHN Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was s...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Building Test Lines' of type com.atlassian.servicedesk.internal.sla.customfield.SLAC...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Checking Connectivity' of type com.atlassian.servicedesk.internal.sla.customfield.SL...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connect to Network and Add to INS' of type com.atlassian.servicedesk.internal.sla.cu...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Connecting MTA to Network' of type com.atlassian.servicedesk.internal.sla.customfiel...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Creating Test Accounts' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Request Type' of type com.atlassian.servicedesk.internal.customfields.origi...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Customer Response Time' of type com.atlassian.servicedesk.internal.sla.customfield.S...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'DOCSIS Test' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Days to Resolution' of type com.atlassian.servicedesk.internal.sla.customfield.SLACF...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'Epic Link' of type com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType was...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 2 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'FCC 3 Weeks' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType wa...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'First Response Task Metric' of type com.atlassian.servicedesk.internal.sla.customfie...
GA.769:180302:113834:: INFO.getCustomFieldValues(): field 'IT Testing' of type com.atlassian.servicedesk.internal.sla.customfield.SLACFType was..."
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jkirankumar1993
New Member
‎03-02-2018 11:10 AM

Your query worked great for this single event. But, I have series of events and i want to extract these values as a field so that I can make a report

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-04-2018 05:21 AM

Try adding mvexpand to your query to expand the multiple values of that is what you want.

<yourBaseSearch>
| fields _raw
| rex "INFO\.getCustomFieldValues\(\):\sfield\s\'(?<myField>[^\']+)\'\sof\stype" max_match=0
| mvexpand myField 
| table myField
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jkirankumar1993
New Member
‎03-05-2018 07:53 AM

Worked Great. Thanks a lot

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-05-2018 07:57 AM

Glad you found it working. Please up vote the comments that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jkirankumar1993
New Member
‎03-02-2018 11:07 AM

I have series of events like this. I want to extract field called "custom_field" from all these multi valued events.

Example or sample output of extracted field:

AE Test Fail
AE Testing in Progress
Activating
.............
.............

Note: I dont have access to any config files. So, can you tell any regular expression to capture all those values?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...