![]() ![]() If this reply helps you, Karma would be appreciated. The only way to do an OR is via multiple lookups. ![]() There isn't really enough info in this thread to go farther. Yes, the lookup command supports multiple fields, but all of the fields are ANDd during the lookup. explanation, mock-up or something to describe the results that you are trying to get.an example of the lookup table (a couple lines should do here).Splunk uses the field - command to select which columns to exclude from the. description of the important fields (and which ones can be multi-valued) Keep results that have the same combination of values in multiple fields 6.include a few sample events (sanitized of real server names, user names etc).Remove duplicate search results with the same host value. Remove duplicate results based on one field. If you don't have exact results, you have to put in the lookup (in. Then you can use the lookup command to filter out the results before timechart. To learn more about the dedup command, see How the dedup command works. at first, in the search you shared you don't need the regexes extractions because you don't need them in the timechart command: Status and sectionid aren't present in the timechart command. Search multiple fields from one lookup field. So if this idea doesn't work for you, please The following are examples for using the SPL2 dedup command. Note: The lookup command can accept multiple lookup and local fields and destfields. One easy way to make things work - depending on what you want for a final output - yoursearchhere | mvexpand key | lookup lookup_key key OUTPUT resultX resultY | whatever else.Įverything else gets more complicated, and depends on exactly what data you have and what result you need. Assume that you also have created a lookup named lookup_key. splunk query to extract multiple fields from single field. How to extract data using multiple delimited values in splunk. Splunk: Split extracted field after specific position. Splunk: Group by certain entry in log file. By default, the internal fields raw and time are included in output in Splunk Web. Group events by multiple fields in Splunk. Where the fields are the timestamp, a 5-digit field named id and a multivalued-field named key. Keeps or removes fields from search results based on the field list criteria. And, assume that the event data that we are searching has a format something like this If your input key is multivalued, then you may have a problem, depending on what you want to do.įor this answer, assume that the lookup is described as in lguinn's answer from 1.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |