Expanding CSV to a Multi-Valued Field

jbp4444 · ‎06-22-2011

I have a comma-separated list of 3 random values in a field called randlist (syslog-like entries):

Jun 22 10:39:46 bdgpu-login-01 randtest[19726]: xid=1308753586 rand3=2 rand1=0.147066939336213 randlist=0.147066939336213,7.29877393854405,2 rand2=7.29877393854405

I'd like to grab the randlist field and break it into a multi-valued field. For now, there are 3 fields, but it could be a variable-sized list in the future.

I.e. I'd like randlist | ..something.. | eval c=mvcount(randlist) to produce a value of 3 (three items in the list)

jbp4444 · ‎06-22-2011

unless randlist is itself not getting the comma-separated list? i.e. the last column in the above output suggests randlist is a single number. The original syslog line definitely has the comma-sep list.

jbp4444 · ‎06-22-2011

Hmm, seems like that should work ... but I don't get multiple values:

 randlist | eval r=split(randlist,",") | eval c=mvcount(r) | table _time c r*

the output shows:
_time c r rand1 rand2 rand3 randlist

6/22/11 1:12:47.000 PM 1 0.544830349649022 0.544830349649022 4.65601461737279 3 0.544830349649022

6/22/11 1:11:47.000 PM 1 0.570239085771959 0.570239085771959 4.57874341757059 5 0.570239085771959

6/22/11 1:10:47.000 PM 1 0.284757352089141 0.284757352089141 5.87026520381151 1 0.284757352089141

So only the first entry of randlist is being captured (I get the same result if I put "randlist=split(randlist..." in there too). Tried adding 'mvexpand randlist' .. also didn't seem to help.

southeringtonp · ‎06-22-2011

If you already have randlist extracted, and you're using Splunk 4.1 or higher, you can use split():

| eval randlist=split(randlist, ",")

For older Splunk versions, use rex.

Expanding CSV to a Multi-Valued Field

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life