Splunk Search

How can I convert the format of the values for a multivalue field?

sfatnass
Contributor

Hi

I want to change a multivalue field from:

Abcd=0.3333
GBTDF=0.25
JKLLIH=0.5

to:

Abcd 33%
GBTDF 25%
JKLLIH 50%

thx

ps: it's a not a simple field

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

What about this? You can ignore the first 4 lines that I used to replicate your use case.

| stats count
| fields - count
| eval event = "Abcd=0.3333, GBTDF=0.25, JKLLIH=0.5"
| eval event = split(event, ",")
| mvexpand event
| rex field=event "(?<key>[^=]+)=(?<value>[\d\.]+)"
| eval keyvalue = key . " " . round(value*100,0) . "%"
| fields - key, value, event
| stats list(keyvalue) as keyvalue

Output:

keyvalue
--------------
Abcd 33%
GBTDF 25%
JKLLIH 50% 

View solution in original post

gabriel_vasseur
Contributor

Have you had a look at wether multikv can do what you want? If it doesn't, please provide more information.

0 Karma

javiergn
SplunkTrust
SplunkTrust

What about this? You can ignore the first 4 lines that I used to replicate your use case.

| stats count
| fields - count
| eval event = "Abcd=0.3333, GBTDF=0.25, JKLLIH=0.5"
| eval event = split(event, ",")
| mvexpand event
| rex field=event "(?<key>[^=]+)=(?<value>[\d\.]+)"
| eval keyvalue = key . " " . round(value*100,0) . "%"
| fields - key, value, event
| stats list(keyvalue) as keyvalue

Output:

keyvalue
--------------
Abcd 33%
GBTDF 25%
JKLLIH 50% 

sfatnass
Contributor

thx javiergn it work ^^

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...