Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract pipe separated subfields from a field?

lewix
New Member
‎10-22-2014 04:17 AM

Hi,
I have a index with a field named PARAMS.
This field has a content valued by subfields pipe separated.

Example:
PARAMS= mySubField1|mySubField2|mysubField3|......|mySubFieldN

Unfortunately Splunk doesn't correctly index this field (PARAMS) but in search app shows only the first subfield (mySubField1).
Even if i try to search other subfields (mySubField2, mySubField3, etc) Splunk return nothing.

Example:
_raw = PARAMS= mySubField1|mySubField2|mysubField3|......|mySubFieldN
but Splunk only shows mySubField1
event if i try in search PARAMS=mySubField2 Splunk returns nothing.

Anybody can help me please or suggest me a workaround?

Thank you!
Lewix

0 Karma
Reply

marcoscala
Builder
‎12-01-2014 02:30 AM

Hi,
I suggest you to check this document section:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Parsemultivaluefields

As you can see, I think that one simple solution could be to use "makemv" command, like this:

sourcetype=buonopasto  CMD=noop| makemv delim="|" PARAMS

that works in the simple scenario where you just have one separator (the PIPE char). It this works for you at least in that case, you can then work on a "append" of two searches, like this:

sourcetype=buonopasto  CMD=noop| makemv delim="|" PARAMS | append [search sourcetype=buonopasto  CMD=puttrans| makemv delim=" " PARAMS ]

Hope it helps,

Marco

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-22-2014 03:27 PM

You can create a DELIMS based extraction (transforms.conf) to extract the subfields:

[your\_transform\_rule]
SOURCE\_KEY = PARAMS
DELIMS = "|"
FIELDS = mysubfield1, mysubfield2, ..., mysubfieldN

Then, you'd call that rule from the props of your sourcetype, like this:

[your\_sourcetype]
REPORT-subfields = your\_transform\_rule
0 Karma
Reply

lewix
New Member
‎10-24-2014 01:27 AM

Hi,
thank you for your help but it seems not working.

I show you what i did, maybe something is wrong

  • In /opt/splunk/etc/apps/dbx/default/transforms.conf I added these lines
    [ethconnector_rule]
    SOURCE_KEY = PARAMS
    DELIMS = "|"
    FIELDS = PARAMS_FIELD1,PARAMS_FIELD2,PARAMS_FIELD3,PARAMS_FIELD4,PARAMS_FIELD5,PARAMS_FIELD6,PARAMS_FIELD7,PARAMS_FIELD8,PARAMS_FIELD9,PARAMS_FIELD10,PARAMS_FIELD11,PARAMS_FIELD12,PARAMS_FIELD13

  • In /opt/splunk/etc/apps/dbx/default/props.conf I added these lines (buonopasto is my database-input sourcetype)

[buonopasto]
REPORT-subfields = ethconnector_rule

  • I restarted splunk but new fields (PARAMS_FIELD1,...., PARAMS_FIELD12,PARAMS_FIELD13) do not appear in splunk search

Last info: PARAMS, as I said before, is pipe separated in subfields, but not always. There is another field that determines how PARAMS is separated.
Example:
if CMD==puttrans then PARAMS=PARAMS_FIELD1|...|PARAMS_FIELD12|PARAMS_FIELD13
if CMD==noop then PARAMS=field1 field2 field3

Maybe can this be the issue?

Thank you again.
Lewix

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...