How to extract values from 2 multivalue fields as ...

gnorud · ‎04-14-2015

I need to extract from 2 fields and compile them into multiple fields.

1st field contains all the counter names.
Example
Event:
label=counter1,counter2,counter3
The label doesn't change. Event is all the same for label type.

2nd field contains all the counts.
Example
Event1= 0,10,20
Event2=2,30,15
...
EventN=x,y,z

I can use split and mv to do the extraction.
How can I compile those counter and counts into key value pairs inline?
I need to use the values from counter field as a new field. Values from count field as the new values. The pair will be position based and split by comma?

ngatchasandra · ‎04-14-2015

I reply you by considering that the count values are inside a multivalue field . Use query that follow:

I consider values count in field like Count=0,2,3 for example.

   ....|eval CountNew=split(count,",")  |eval counter1=mvindex(CountNew,0) |eval counter2=mvindex(CountNew,1) |eval counter3= mvindex(countNew,2) | table counter1 counter2 counter3

gnorud · ‎04-14-2015

This is my current workaround.

However I need the field name to be created dynamically as well from another fields' multivalued event.

For example: as for a single event, field name = countertype; field value=(Counter1,counter2,counter3).

I need extract from above event and create 3 new fields.
Fields name = counter 1,2,3

ngatchasandra · ‎04-14-2015

i think that my query assign counts values to each counter, counter1 counter2, counter3 . You can use timechart like follow:

stephanefotso · ‎04-14-2015

I don't know how are your events but something like this may help. I hope

your base search    |rex "lable=(?<conter1>[^,]),(?<conter2>[^,]),(?<conter3>.*+)"|rex "Event=(?<cont1>\d+),(?<cont2>\d+),(?<cont3>\d+)\s"|eventstats count(count1) as counter1 by conter1|eventstat count(count2) as counter2 by conter2|eventstat count(count3) as counter3 by conter3|table counter1 counter2 counter3

SGF

gnorud · ‎04-14-2015

Hi
The counts value is from count field. So I don't have to count events. I need to assign counts values to each counter.

stephanefotso · ‎04-14-2015

OK. Here you go:

your base search    |rex "lable=(?<conter1>[^,]),(?<conter2>[^,]),(?<conter3>[^\s]+)"|rex "Event=(?<cont1>\d+),(?<cont2>\d+),(?<cont3>\d+)\s"|eventstats values(count1) as counter1 by conter1|eventstat values(count2) as counter2 by conter2|eventstat values(count3) as counter3 by conter3|table counter1 counter2 counter3

SGF

ngatchasandra · ‎04-14-2015

Hi gnorud,

Try with this format of query with mvindex function and rex_macth attribute:

Hi, try this

 ...| rex "your rex P? <label>..." max_match=0| eval label1=mvindex(label,0) | eval label2=mvindex(label,1) | eval label3=mvindex(label,2) |  rex "your rex P?<Count>..." max_match=0|eval Count1=mvindex(Count,0) | eval Count2=mvindex(Count,1)| eval count3=mvindex(Count,2) |table label1 label2 label3 Count1 Count2 Count3

You will get the key value pair of each field.

gnorud · ‎04-14-2015

The purpose is to create a tabulate output with label as column name, then populate each row by using count values.
Labels are extracted from counter fields by delimiter comma,
Values are extracted and assigned to each label cell.

With the output so I can chart based on _time

ngatchasandra · ‎04-14-2015

Are you extract already the count values as a multivalue field? If not try to send me an entire event that contain the values count!

I tried to reply you below!

gnorud · ‎04-14-2015

Hi
I don't need to extract count value.
The count field in the log is multivalued separated by comma，count event is the number of occurance for each counter, counter name is from another field.

I want a timecharts to show linechart per counter and counts created inline.

How to extract values from 2 multivalue fields as field names and values and generate new key value pairs dynamically?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk