0

In logs we have a value "device=xyz,1" here we need to consider "xyz,1" as a single value and display it in a table format. But now when we run a query it just displays device value as "xyz" and misses out ",1". how to consider it as a single value.

Query example: ....|eval device = if(isnull(device), "notFound", device) | table device

from above query Expection:
Table should have column name as device and value should be "xyz,1"

What is actually happening:
Table has column name as device but value is "xyz"

I have tried mvjoin but it's not helping.

Please suggest a solution

PM 77-1
  • 12,933
  • 21
  • 68
  • 111
Nithya
  • 1
  • 2
  • 1
    how are you getting this data in? Is it event data? In a lookup table? Something else? – warren Jan 25 '23 at 17:17
  • 1
    By default, Splunk will handle automatically process data in key=value format, but the value is assumed to end with the first comma or space. The fix is to add props.conf settings that tell Splunk the right way to parse that field. – RichG Jan 25 '23 at 18:17
  • 1
    If you cannot adjust parsing, then use `rex` to capture the way you like. – PM 77-1 Jan 25 '23 at 21:05
  • @warren, i am new to splunk so i am not sure whether I got your question correctly, let me answer as per my understanding. So we have events which has data logged in a specific format so from that event we pick the keyword 'device=somevalue' that 'somevalue' can have "," in between. So that value we are trying to get as a single value but it considers them as a separate value so what change would be required – Nithya Jan 26 '23 at 11:10
  • 1
    Both @pm-77-1 and I suggested changes. Have you tried them? – RichG Jan 26 '23 at 14:26
  • Hi @RichG and PM 77-1, thanks for your input. I am yet to check the props.conf file, hence after checking i thought i would get back to you guys, and regarding rex, yeah that was one of the options but before that, i just wanna check whether there are any other options available. If not then i will opt for rex. – Nithya Jan 27 '23 at 03:54
  • @PM 77-1 I have finally used rex to solve my issue, Thank you :) – Nithya Jan 27 '23 at 16:22

1 Answers1

2

You may need to custom-extract the value (until you can get the sourcetype's props.conf and transforms.conf updated).

Something like this should work:

<search>
| rex field=_raw "device=(<device>\S+)"
<rest of search>
warren
  • 32,620
  • 21
  • 85
  • 124
  • Thanks for the suggestion let me try this solution and get back to you. – Nithya Jan 27 '23 at 03:55
  • Thanks everyone for your valuable input, I slightly modified the regex as per my requirement and that solved my issue. – Nithya Jan 27 '23 at 16:22