Solved: Re: Custom event renderer: able to access values i...

Jason · ‎01-26-2011

I'm writing up a custom event renderer to show the differences in two events in a transaction. Naturally, transaction will put in multivalued fields if the values are different between the two events.

I have seen both

<% count = event.fields['_count'] %>

and

<% tags = event.fields.get('_tags','') %>

formations in the search app's discovered.html. Can either of these be used to get values from a multivalued field, or get the count of values in a multivalued field? Or do I have to load up my search with a ton of evals?

Johnvey · ‎01-27-2011

Yes, multivalue fields are accessible via the Python SDK. Let's use the following working example.

Get a search job that has multivalue fields (I coerce that by using makemv😞

my_job = splunk.search.dispatch('| windbag | makemv delim=" " sample | fields sample, host, source')

and then grab the first result to play around with:

result = my_job.results[0]

result is actually an object that contains all of the multivalue data as well as tags:

>>> result.fields.keys()
['sample', 'host', 'source', '_cd', '_raw', '_time']
>>> result.fields['sample']
Je,peux,manger,du,verre,,Ã§a,ne,me,fait,pas,de,mal.
>>> result.fields['sample'][0]
<splunk.search.ResultFieldValue object at 0xa7dd8d0>
>>> result.fields['sample'][0].value
'Je'
>>> result.fields['sample'][0].tags
[]
>>> len(result.fields['sample'])
12
>>> result.fields['sample'][11].value
'mal.'

From the example above, you'll note that:

the base ResultField object will return a convenience string that is a concatenation of all of its values
applying an index selector to the ResultField object will pull out each multivalue field individually
the multivalue field values are stored in an array
the individual ResultFieldValue object contains 'value' and 'tags' members

View solution in original post

Johnvey · ‎01-27-2011

Yes, multivalue fields are accessible via the Python SDK. Let's use the following working example.

Get a search job that has multivalue fields (I coerce that by using makemv😞

my_job = splunk.search.dispatch('| windbag | makemv delim=" " sample | fields sample, host, source')

and then grab the first result to play around with:

result = my_job.results[0]

result is actually an object that contains all of the multivalue data as well as tags:

>>> result.fields.keys()
['sample', 'host', 'source', '_cd', '_raw', '_time']
>>> result.fields['sample']
Je,peux,manger,du,verre,,Ã§a,ne,me,fait,pas,de,mal.
>>> result.fields['sample'][0]
<splunk.search.ResultFieldValue object at 0xa7dd8d0>
>>> result.fields['sample'][0].value
'Je'
>>> result.fields['sample'][0].tags
[]
>>> len(result.fields['sample'])
12
>>> result.fields['sample'][11].value
'mal.'

From the example above, you'll note that:

the base ResultField object will return a convenience string that is a concatenation of all of its values
applying an index selector to the ResultField object will pull out each multivalue field individually
the multivalue field values are stored in an array
the individual ResultFieldValue object contains 'value' and 'tags' members

Jason · ‎01-27-2011

So, in answer to my immediate question, <% makovar = event.fields['mvfield'][1] %> was able to access my second multivalued field value, and <% fieldcount = len(event.fields['mvfield']) %> got me how many values there were. I never knew this was python - thanks!

Custom event renderer: able to access values in multivalued field?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases