2/28/2024 0 Comments Splunk join multivalue field![]() ![]() I tried mvexpand to flatten some fields, but it didn't flatten. Is helping, but max() function is fetching me just one value out of the mvfield. However eventstats values(*) creates multivalue fields amd mvexpand won't help. (Thats what I am coalescing for a couple of fields)Īlso, stats values(*) by au, doesn't yield result(by combining from both index) but when eventstats does. Index B fields : au,service_account_name,job_title,lob,account_type,service_account_id,owner_elid,au_owner_name,au_owner_emailĮxample : Lets say, if "account_name" has no value from index A, then coalesce should populate it from "au_owner_name". Index A fields : account_name,cn,au,acct_name,elid,full_name,email_address,manager_name But in real the multivalue fields should be split into different rows, but now MAX() messes things up, and stats values() is creating some multivalue fileds !!!! stuck !! I changed stats to eventstats, it populates value, but i think because of the usage of MAX() function I am not seeing multiple service_account_id or service_acount_names asociated to each au. | table user type pwd_expires is_interactive service_account_id service_account_name au au_owner_name job_title au_owner_email elid manager_name lob | rename acct_name as user, account_type as type| eval user=lower(user) | eval service_account_id=coalesce(service_account_id,app_id) | eval service_accout_name=coalesce(service_account_name,cn) | eval au_owner_name=coalesce(au_owner_name,full_name) | eval au_owner_email=coalesce(au_owner_email,email_address) | table is_interactive,account_name,cn,au,acct_name,elid,full_name,full_name,email_address,manager_name,service_account_name,job_title,lob,pwd_expires,service_accout_name,account_type,service_account_id,service_account_id,owner_elid,au_owner_name,au_owner_email | eval pwd_expires=if(nopassexpire=1, "True", "False"), account_type=if(type="S", "Service Account", account_type) | table ul-ctx-head-span-id thod ul-log-data.I tried solution with a change, it populates but not quite the way i wanted. | table ul-ctx-head-span-id thod ul-log-data.function ul-span-duration | eval ul-log-data.function = mvindex(split(func_dur, "|"), 0), ul-span-duration = mvindex(split(func_dur, "|"), 1) | stats values(thod) as thod values(func_dur) as func_dur by ul-ctx-head-span-id | eval func_dur = 'ul-log-data.function'. Try that and see if you get the results you're looking for.Įdit: Another way to accomplish this: (index=cosv2 ul-ctx-source=c4rupgrd ( ("ul-ctx-caller-span-id"=null) OR ("ul-ctx-caller-span-id"!=null "thod"="*") ) | table _time ul-ctx-head-span-id http_url function ul-span-duration ![]() The easiest way to do this would be to use a join command: index=cosv2 ul-ctx-source=c4rupgrd "ul-ctx-caller-span-id"!=null "ul-log-data.function"="GetRemainingAsync" OR "ul-log-data.http_url"=" | join ul-ctx-head-span-id It means if I get 4 row data in first search, then after join, I need show 8 row dataįorgive my poor English, can someone help on this? Please note: the second search depends on the field "ul-ctx-head-span-id" in the result of first search.įinally, I want get a table like below: ul-ctx-head-span-id | thod | ul-log-data.function|ul-span-duration With the field "ul-ctx-head-span-id", second search will return 2 row data with different ul-log-data.function, ul-span-duration, so the table will be: ul-ctx-head-span-id | ul-log-data.function|ul-span-duration With this search, I can get several row data with different methods in the field thod, so the table will be: ul-ctx-head-span-id | thod First search: index=A "ul-ctx-caller-span-id"=null
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |