- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Returning specific field values from multivalue ex...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Returning specific field values from multivalue extractions
Hello Splunkers/Splunkettes!
I appear to be having a Splunkers block.
I am performing a multivalue field extraction similar to my previous question. Essentially, given the following sample output:
29/02/2012 16:00 - Printer Usage Report
Printer 1: Canon (123)
Printer 2: Canon (456)
Printer 3: Xerox (789)
Printer 4: Epson (012)
Printer 5: HP (345)
**** END REPORT ****
I am extracting printer_id, printer_vendor, and toner_level using the following config in transforms.conf:
[printer_toner_extract]
REGEX = (?i)Printer\s(\d+):\s(\w+)\s+\(\(\d+)
FORMAT = printer_id::$1 printer_vendor::$2 toner_level::$3
MV_ADD = true
This appears to work fine as the field picker now shows all the fields and their values.
However when I attempt to chart the toner_level for a specific printer (eg. Printer 2)
printer_id="2" | chart list(toner_level)
This returns the toner_level values for every printer where printer 2 was in the event. ie:
list(starting_stack)
----------------------------
123
456
789
012
345
...
What I am hoping to see would be a list of just the values for Printer 2 ie:
list(starting_stack)
----------------------------
456
...
Many thanks in advance 🙂
Note: I am using list(X) here as it is meant to return specific values in chronological order.
How do I constrain the toner_level value to be specific to the printer_id I'm interested in?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the problem is because by doing the MV extraction you are losing associativity amongst the fields ie: Printer X does not know what toner and vendor values from the other MV fields belong to itself.
So here is an alternate approach that should work for you that uses a search time field extraction and breaks the Printer metrics into individual events, which should make it easier for you to use the stats,chart and timechart commands.
props.conf
[printer_usage]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^Printer\s\d+:.*$
EXTRACT-printer_toner_extract = (?i)Printer\s(?<printer_id>\d+):\s(?<printer_vendor>\w+)\s+\((?<toner_level>\d+)
Example Searches
With this search you can chart the toner levels over time by Printer ID:
sourcetype=printer_usage | timechart max(toner_level) by printer_id
And the search from your original question :
sourcetype=printer_usage printer_id=2 | stats list(toner_level)
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
