Solved: Re: Multiple value for the same field in one event...

prettysunshinez · ‎03-11-2020

I have an event having 3 errors..
I have a regular expression written to capture the error as "ERROR".
And now i have a lookup file and I input the ERROR value and output Comments for the respective error.

I do not have issues when there is just one value for ERROR field in one event(i.e., if there is only one error in a event)
But when there are more than one error,then i get the result as below.
Kindly help..

manjunathmeti · ‎03-16-2020

Expand ERROR values before lookup command.

index= |(regular expression to catch the error from the logs as ERROR) | mvexpand ERROR | lookup abc.csv ERROR output Comments |stats count by Comments

View solution in original post

manjunathmeti · ‎03-16-2020

Expand ERROR values before lookup command.

index= |(regular expression to catch the error from the logs as ERROR) | mvexpand ERROR | lookup abc.csv ERROR output Comments |stats count by Comments

woodcock · ‎03-14-2020

What you are describing is not possible unless you have a Lookup Definition with some extra settings in it. It is pointless to continue without you spelling out everything including at least 2 lines of your Lookup File and your search SPL and your Lookup Definition.

to4kawa · ‎03-11-2020

index=your_index 
|(regular expression to catch the error from the logs as ERROR) 
| stats count by ERROR
| lookup abc.csv ERROR output Comments

I see, this query excludes same ERROR
How about this?

In your last comment, |stats count by Comments
This result is following:

Comments count
abc  3
bcd  1
....

This result is not your first expect result.
Which do you want?

prettysunshinez · ‎03-11-2020

Am sorry I missed it..
I get the error also as part of output from lookup file..and i do statistics count and values based on ERROR..

prettysunshinez · ‎03-11-2020

index= |(regular expression to catch the error from the logs as ERROR) | lookup abc.csv ERROR output Comments |stats count by Comments

abc.csv:
ERROR Comments
Error1 abc
Error2 abc
Error3 bcd
Error4 bed
Error5 abc

woodcock · ‎03-22-2020

Why are you being so vauge? Show us ALL of your search! The rex part is probably THE MOST IMPORTANT PART and yet you stripped it!?!?

prettysunshinez · ‎03-11-2020

Regular followed by max_match=0..
In order to capture all the occurences of ERROR

woodcock · ‎03-22-2020

SHOW US THE FULL SEARCH SPL and a few sample events.

manjunathmeti · ‎03-11-2020

can you post your query?

to4kawa · ‎03-11-2020

"ERROR" field is multivalue?

prettysunshinez · ‎03-11-2020

Single value only

Multiple value for the same field in one event.How to determine statistics

eval

stats

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases