Splunk Search

Transactions and mvexpand on _raw

dspracklen
Path Finder

While there was a good question related to my problem, the answers aren't solving my problem.

I need to constrain data to a list of event times for a list of given objects. I can constrain this using transaction and a dedup. This seems to work as best as I can tell. Like with previous questions, I then need to run stats on the events in each transaction to summarize them.

Currently, the relevant bits of my search look like this:
-etc etc etc- | transaction transField mvraw=true | dedup assetID | mvexpand _raw | stats etc etc

The problem is that I can never get mvexpand to recognize that _raw is a valid field. Invariably I get "Field '_raw' does not exist in the data." Replacing mvexpand with a table command shows the field is there, however.

Tags (2)
1 Solution

dspracklen
Path Finder

The advice from sdaniels in his comment worked like a charm. Setting a new field to the value of _raw and then using mvexpand on that works. I'm not sure why _raw was invalid, but perhaps it is a change with version 5 of Splunk.

View solution in original post

Michael
Contributor

Hmm, with due respect (I know a lot of time has passed -- I'm on v 7.3.3), this might have worked before, but not now.

I'm trying to simply expand out the results of a "df -h" from a text'd output file -- and it's being very reluctant...

0 Karma

dspracklen
Path Finder

The advice from sdaniels in his comment worked like a charm. Setting a new field to the value of _raw and then using mvexpand on that works. I'm not sure why _raw was invalid, but perhaps it is a change with version 5 of Splunk.

sdaniels
Splunk Employee
Splunk Employee

Glad i could help. The underscore fields are treated differently in Splunk in general and sometimes you are required to create a new copy of the field to work on it.

dspracklen
Path Finder

I just gave it a shot and voila, that seems to do the trick. I can't believe I didn't even consider that, but _raw seems to be fine in all other uses. I wonder if it's a change with the new version.

Anyway, thanks for the advice. Time to get back to getting this report into shape!

sdaniels
Splunk Employee
Splunk Employee

Have you tried to create a copy of _raw and then use that in your command. | eval rawCopy = _raw | mvexpand rawCopy | rename rawCopy as _raw

Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...