Multivalue Fields – Lab Guide

Overview
Welcome to the Splunk Education lab environment. These lab exercises will test your knowledge of searching,
creating, modifying, and manipulating multivalue data with multivalue commands and functions.

Scenario
You will use data from the international video game company, Buttercup Games. A list of source types is
provided below.

NOTE: This is a lab environment driven by data generators with obvious limitations. This is not a
production environment. Screenshots approximate what you should see, not the exact output.

Index Type Sourcetype Interesting Fields

web Online sales access_combined action, bytes, categoryId, clientip, itemId,
JSESSIONID, price, productId, product_name,
referer, referer_domain, sale_price, status,
user, useragent

security Active Directory winauthentication_security LogName, SourceName, EventCode, EventType, User

Badge reader history_access Address_Description, Department, Device, Email,

Event_Description, First_Name, last_Name, Rfid,
Username

network Web security cisco_wsa_squid action, cs_method, cs_mime_type, cs_url,

appliance data cs_username, sc_bytes, sc_http_status,
sc_result_code, severity, src_ip, status, url,
usage, x_mcafee_virus_name, x_wbrs_score,
x_webcat_code_abbr

Firewall data cisco_firewall bcg_ip, dept, Duration, fname, IP, lname,

location, rfid, splunk_role, splunk_server,
Username
systems Linux system log server_log Active Ram, Available Ram, CPU Percent Used,
Free Ram, Inactive Ram, RAM Percent Used, Total
Ram, Used Ram
HTTP status code status_definitions
status, status_description, status_type
definitions
AWS system data system_info CPU_CORES{}.core,
CPU_CORES{}.core_percent_used,
CPU_CORES{}.system, CPU_CORES{}.user,
RAM.active, RAM.available, RAM.total, RAM.used,
ROOT_USERS{}, SYSTEM{}

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 1
Common Commands and Functions
These commands and statistical functions are commonly used in searches but may not have been explicitly
discussed in the module. Please use this table for quick reference. Click on the hyperlinked SPL to be taken to
the Search Manual for that command or function.
SPL Type Description Example

Sorts results in Sort the first 100 src_ip values in descending order
descending or ascending
sort command
order by a specified field.
| sort 100 -src_ip
Can limit results to a
specific number.

Return events with a count value greater than 30

Filters search results
where command
using eval-expressions.
| where count > 30
Rename SESSIONID to 'The session ID'
Renames one or
rename command
more fields.
| rename SESSIONID as "The session ID"

Remove the host field from the results

Keeps (+) or removes (-)
fields command
fields from search
| fields - host
results.

Calculate the total sales, i.e. the sum of price values.

Calculates aggregate
stats command
statistics over the
results set.
| stats sum(price)

Concatenate first_name and last_name values with a

Calculates an expression space to create a field called "full_name"
eval command and puts the resulting
value into a new or
existing field.
| eval full_name=first_name." ".last_name

Output vendorCountry, vendor, and sales values to

table command Returns a table. a table

| table vendorCountry, vendor, sales

Returns the sum of the Calculate the sum of the bytes field
statistical values of a field. Can be
sum() function used with stats,
timechart, and chart
| stats sum(bytes)
commands.

Returns the number of Count all events as "events" and count all events that
occurrences of all events contain a value for action as "action"
count or statistical
or a specific field. Can
count() function
be used with stats, | stats count as events,
timechart, and chart count(action) as action
commands.

Refer to the Search Reference Manual for a full list of commands and functions.
© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 2
Lab Exercise 1 – What are Multivalue Fields?
Description
Configure the lab environment user account. Then, you will use spath to interpret self-describing data and
multivalue stats functions to convert single-value fields to multivalue fields.

Steps
Log into Splunk and change the account name and time zone.

Set up your lab environment to fit your time zone. This also allows the
instructor to track your progress and assist you if necessary.
Log into your Splunk lab environment using the username and
password provided to you.
You may see a pop-up welcoming you to the lab environment. You can
click Continue to Tour but this is not required. Click Skip to dismiss
the pop-up window.
Click on the username you logged in with (at the top of the screen) and
then choose Account Settings from the drop-down menu.
After you complete step 6,
In the Full name box, enter your first and last name.
you will see your name in
Click Save. the web interface.
Reload your browser to reflect the recent changes to the interface.
(This area of the web interface will be referred to as user name.)

NOTE: Sometimes there can be delays in executing an action like saving in the UI or returning results
of a search. If you are experiencing a delay, please allow the UI a few minutes to execute
your action.

Navigate to user name > Preferences.

Choose your local time zone from the Time zone drop-down list.
Click Apply.
(Optional) Navigate to user name > Preferences > SPL Editor > Search auto-format and click on the
toggle to activate auto-formatting. Then click Apply. When the pipe character is used in search, the SPL
Editor will automatically begin the pipe on a new line.

Search auto-format disabled (default)

Search auto-format enabled

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 3
 Extract fields using the spath command.

In the top left corner of Splunk Web, select Apps > Search & Reporting. This sets the app context to the
search app.
Search HTTP status definitions (index=systems sourcetype=status_definitions) data over All time.

Expand the event details by clicking Show all 203 lines. Notice that this one event is in XML format.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 4
 Extract fields by using the spath command.

Look at your Interesting Fields list. New fields should now be available.

Display a table containing the root.row.status, root.row.status_description, and

root.row.status_type from the extracted XML.

Rename the columns as status, status_description, and status_type.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 5
 Save your search as a report with the name L1S1.
a. Click Save As > Report
b. For Title, enter L1S1.
c. Save.
d. You can View your report or exit out of the Your Report Has Been Created window by clicking
the X in the upper-right corner.
e. You can access your saved reports using the Reports tab in the application bar.
f. Re-initialize the search window by clicking Search in the application bar.

Your recently saved L1S1 report will be visible in the Reports tab.

Extract fields from an XML file using the spath function of the eval command.

Reuse the previous search but use the eval command with the spath function to extract and create
root.row.status as status, root.row.status_description as description and

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 6
 root.row.status_type as type. Search over All Time and display results in a table as shown:

Save your search as a report with the name L1S2.

Scenario: ITOps wants to analyze performance of a Linux server based on a system log.

Display a table showing the performance of the server over the course of the last 24 hours.

Search for all events in the linux system log (index=systems sourcetype=server_log) over
the Last 24 hours.

Click the system_info field in the Interesting Fields list. Note that the values are in JSON format.

Use the spath command to extract fields specifically from the system_info field. Notice the new fields
that are now listed under Interesting Fields.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 7
 Display a table showing _time, Used Ram, Free Ram, RAM Percent Used, and CPU Percent Used.

NOTE: The system information extracted does not include all types of memory usage for the server
(e.g., inactive RAM, wired RAM). The RAM Percent Used values represent a percentage of
total RAM.

Save your search as a report with the name L1S3.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 8
Scenario: Sales Ops wants a table displaying the number of successful online purchases during the
previous week by web host and category to see which types were purchased most.

Use a multivalue stats function to complete a search.

Complete the <missing> portion of this search so that all categoryId and count values are listed
by host. Run this search over the Previous week.

index=web sourcetype=access_combined action=purchase status=200 categoryId=*

| stats count by host, categoryId
| sort -count
| <missing>

Save your search as a report with the name L1S4.

Scenario: ITOps wants to see all unique users active on the AD/DNS server during the last 4 hours.

Use a multivalue stats function to list unique values.

Search Active Directory data (index=security sourcetype=winauthentication_security) for events

over the Last 4 hours.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 9
 Use a multivalue stats function to list all unique values of User. Retain "User" as the field name by using
an as clause.

Save your search as a report with the name L1S5.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 10
Lab Exercise 2 – Creating and Evaluating Multivalue Fields
Description
In this lab exercise, you will use the commands you learned in class to create and evaluate multivalue fields.
Steps

Scenario: Show a count for all products sold online yesterday by product_name whose productId
contains "SH".

Use makemv to convert a single-value field to a multivalue field.

NOTE: There are other ways to accomplish this search – for example, by using a where command with
a match function and specifying a regex pattern. However, in this task, you will use makemv to
reinforce what you learned about multivalued functions in the lecture.

Search all Buttercup games online sales events (index=web sourcetype=access_combined)

from Yesterday.

In the Interesting Fields list, look at how the values of productId are structured, e.g. AA-BB-CC1. Use
the makemv command to split the values of productId into 3 groupings, e.g. AA, BB, CC1. In other words,
use makemv to convert the single-value field productId into a multivalue field containing 3 values without
the dash ( - ) character.

In the Interesting Fields list, you will see how the productId field has been split up.

Only keep results where the productId contains "SH" by using the search command with the expression,
productId = "SH".

NOTE: Step 5 is optional and requires knowledge of the stats command. You can skip this step and
continue to step 6 to save your search as a report.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 11
 Count events by product_name.

Save your search as a report with the name L2S1.

Scenario: Security has requested that you develop a search that will identify any Buttercup Games
employees who used a workstation other than their own during the last 7 days. The
workstation name should be included in the saved report.

Use multivalue eval functions to complete a search. Then, display results as a table and filter
the search results.

NOTE: At Buttercup Games, employees are required to use ONLY their company assigned
workstations (i.e., their assigned desktop or laptop computer.) Therefore, it would be unusual for
an employee to use a machine belonging to another employee. Thus, one would expect that this
search would generally produce no results.

Run this search over the Last 7 days. This search finds events from the web security appliance data and:
a. Limits results to just bcg_workstation and username values using the fields command.
b. Further filters results to just unique combinations of bcg_workstation and username using the
dedup command.

index=network sourcetype=cisco_wsa_squid
| fields bcg_workstation username
| dedup bcg_workstation username

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 12
 Review the values for username and bcg_workstation. Notice how all the bcg_workstation values
have the same naming convention: BG0x-username, for example BG01-acurry, BG02-perna, etc.

Create a new multivalue field with the eval command called "workstation" whose values are made from
splitting up bcg_workstation using the ( - ) dash character.

Create a new single value field called "workstation_user" whose value is the username
portion of workstation. (Hint: The function you will be using has two arguments, a multivalue field and an
integer referencing the position of a value within that multivalue field's index.)

Use the table command to display workstation_user and username values side by side in a table.

Use the where command to find Buttercup Games employees who used a workstation that was not their
own. Since all employees are required to take mandatory security and compliance training every week and
therefore, should only be using their own workstations, your search should return no results.

Save your search as a report with the name L2S2.

Challenge: Test your search.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 13
 Since your search returned no results, you should verify that the search worked as you intended. Simulate
the scenario of a user logging into another user's workstation. To do so, edit the <missing> portion of this
search so that the username rroberts will be changed to "rsanchez" but all other values will remain the
same. Execute the search over the Last 7 days. (Hint: This search uses an eval function that was not
discussed in the slides. Refer to the Search Manual to find an eval function that will evaluate the
expression username=rroberts and return rsanchez if true and username if false.)

index=network sourcetype=cisco_wsa_squid
| fields bcg_workstation username
| dedup bcg_workstation username
| eval workstation = split(bcg_workstation,"-")
| eval workstation_user = mvindex(workstation,1)
| table username workstation_user
| eval username = <missing>
| where username!=workstation_user

Save your search as a report with the name L2X.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 14
Lab Exercise 3 – Manipulating Multivalue Fields
Description
In this lab exercise, you will use the commands you learned in class to manipulate multivalue fields.
Steps

Scenario: Create a report that will display each AWS system's CPU core along with a colon-separated
list of the percent used and average percent used for each core.

Use multivalue eval functions to complete a search.

Search AWS system data (index=systems sourcetype=system_info) for systems in use during the
Last 60 minutes. Then rename SYSTEM{} to "SYSTEM", CPU_CORES{}.core_percent_used to
"core_percent_used", and CPU_CORES{}.core to "cpu_core".

Create a new field called "cpu_percent_used" that concatenates core_percent_used values

by a : (colon).

Calculate the average of core_percent_used by SYSTEM, cpu_percent_used, and cpu_core. Name this
average "average_cpu_used".

NOTE: In this environment, the SYSTEM name value is not unique per AWS instance. The
cpu_percent_used that you created a moment ago is unique per AWS instance. Therefore, to
obtain the average usage per instance, you need not only SYSTEM, but also the
cpu_percent_used.
Finally, list the values of average_cpu_used and cpu_percent_used by SYSTEM and cpu_core. Don't
forget to include an as clause so that field names are preserved.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 15
 Save your search as a report with the name L3S1.

Challenge: Modify this search so that CPU_CORES{}.core has _number removed from each of its values.
For example, core_number_1 would become core_1, core_number_2 would become core_2,
core_number_3 would become core_3, etc.)

Complete the <missing> portion of this search and run the search over the Last 24 hours.. You will be
using a multivalue eval function and the replace function. (The replace(X,Y,Z) function was not
discussed in the slides. This function is a text function that substitutes the string Z for every occurrence of
regex string Y in string X. See the Search Manual for more information about the replace function.)

index=systems sourcetype=system_info
| rename SYSTEM{} as system, CPU_CORES{}.core as core
| rename CPU_CORES{}.core_percent_used as percent_used
| eval core = <missing>
| eval zip_percent_used = mvzip(core, percent_used,":")
| stats count as sum_core by system, asctime, zip_percent_used
| search zip_percent_used!=": 0.0"
| stats list(zip_percent_used) as "CPU Core Usage" by system, asctime

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 16
 Save your search as a report with the name L3X.

© 2021 Splunk Inc. All rights reserved. Multivalue Fields 15 October 2021 17