All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Split one field values to set one each value to subsequent rows

sh254087
Communicator
a month ago

I have OS log data coming from Windows/linux into splunk. I have a particular field with values unseparated. 

Sample log data representation.

_timeparametervalue
xa
c
b		x1
xa
c
b		x2
xa
c
b		x3
yd
e		y1
yd
e		y2

 

I would want to splint the parameter field's values in such a way that each parameter field will have one of the group values, in same order. Sample output : 

_timeparametervalue
xax1
xcx2
xbx3
ydy1
yey2

 

Can someone please help?

Labels (3)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
4 weeks ago

How do you know that xa goes with x1 and xc goes with x2?  Like literally I'm looking at your example and I don't know how you would have come up with that correlation.

Can you tell me how you'd do this manually?  Unless we know this, I have no idea how we'd know how to make it work programatically.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
a month ago

Your *exact* example doesn't make much sense - why would y-d be y1 instead of y2?

But at least some of this may be as simple as "makemv" and/or "mvexpand".

In your example, it appears as if abcde are all multi-value fields (the "mv" in the two above commands).  If that's so,

...
| mvexpand parameter

should make the original into 13 rows.  Once they're separated, perhaps there's some other eval/conditionals you can use to get each output row to include the correct value?

If that doesn't work, you may need something like ...

...
| makemv delim=" " parameter
| mvexpand parameter

In any case I think you'll be two steps closer and we can iterate from there.

 

happy Splunking,

Rich

0 Karma
Reply

sh254087
Communicator
4 weeks ago

@RichfezThanks for the response, Rich. Since mvexpand/mkemv are basics when it comes to splitting a field value, I had given it a try and tried again now as well. Like you've mentioned, trying this on the example data gives me 13 rows output. But once I'm there, I do not know how to pick one pair of values for a row from the expanded list of values, spread across multiple rows.

Timeparametervalue
xax1
xcx1
xbx1
xax2
xcx2
xbx2
xax3
xcx3
xbx3
ydy1
yey1
ydy2
yey2

 

After this, I'm unsure how to achieve the expected output:

Timeparametervalue
xax1
xcx2
xbx3
ydy1
yey2

 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...