Splunk Search

How to extract a multivalue field into separate fields?

bibc
Explorer

I'm using the following regex to extract name from data:

.. | rex "@name='(?P<Name>[^']+)" max_match=0

This works and extracts the Name field multiple times, but I want to extract the Name in multiple fields like Name01, Name02 ...
The reason for this is that I use the ODBC driver to get the search results and this only gets the first Name value.

Here is an example of the data:

COGIPF_REPORTPATH=/content/folder[@name='Reports']/folder[@name='Test company']/folder[@name='Sales']/folder[@name='User reports']/folder[@name='Test User']/analysis[@name='Sales this month']
1 Solution

stephane_cyrill
Builder

Hi, try this
.....| rex "@name='(?P[^']+)" max_match=0| eval name1=mvindex(Name,0) | eval name2=mvindex(Name,1) | eval name3=mvindex(Name,2) | eval name4=mvindex(Name,3) | eval name5=mvindex(Name,4)| eval name6=mvindex(Name,5) |table name1 name2 name3 name4 name5 name6

View solution in original post

stephane_cyrill
Builder

Hi, try this
.....| rex "@name='(?P[^']+)" max_match=0| eval name1=mvindex(Name,0) | eval name2=mvindex(Name,1) | eval name3=mvindex(Name,2) | eval name4=mvindex(Name,3) | eval name5=mvindex(Name,4)| eval name6=mvindex(Name,5) |table name1 name2 name3 name4 name5 name6

bibc
Explorer

Hi
Great, just what I needed.
It even Works through the ODBC connection showing the right data.
Thanks.

stephane_cyrill
Builder

you 're welcome

0 Karma

sk314
Builder

have you looked at mvexpand? http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Mvexpand

you could pipe an mvexpand command at the end of your rex extraction.

0 Karma

bibc
Explorer

Hi
Thanks for your suggestion.
I have just tried to use mvexpand but this results in multiple events/records.
What I need is a single event with the multivalue field seperated in different fields.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...