- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Change multivalue field to strings
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have table like tis
name | Category
"one; one two; bla trhree aaa bbb; ddddd eeeee aaaaaa; wwww" | Category1
"one; bla wwww; eeee; bbb zzzzz" | Category2
"one" | Category3
Now I have multivalue Field in dashboard, where I want to put query like ( for Category1)
search name ="one" or "one two" or "bla trhree aaa bbb" or "ddddd eeeee aaaaa" or "wwww"
based on Category.
I tried to replace ";" by "OR" :
eval Ids = replace(Ids , ";", " OR ")
But, it gives me:
one OR one two OR bla trhree aaa bbb OR ddddd eeeee aaaaaa OR wwww
And I want to have :
"one" OR "one two" OR "bla trhree aaa bbb" OR "ddddd eeeee aaaaaa" OR "wwww"
What should I use to treat it like string, not separated values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your explanation is VERY confusing but I am pretty sure that you can do what you need with one of these examples:
To create a test mv field:
| makeresults | eval mv="a b c d e f g" | table mv | makemv mv
Now look what adding this does:
| format
Now look what adding this does:
| format "" "" "" "" "" ""
Now look what adding this does:
| rex field=mv mode=sed "s/$/ OR/"
| nomv mv
| rex field=mv mode=sed "s/^/(/ s/OR$/)/"
That should give you the building blocks to do what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your explanation is VERY confusing but I am pretty sure that you can do what you need with one of these examples:
To create a test mv field:
| makeresults | eval mv="a b c d e f g" | table mv | makemv mv
Now look what adding this does:
| format
Now look what adding this does:
| format "" "" "" "" "" ""
Now look what adding this does:
| rex field=mv mode=sed "s/$/ OR/"
| nomv mv
| rex field=mv mode=sed "s/^/(/ s/OR$/)/"
That should give you the building blocks to do what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, it helped, but I have next problem.
Basically I have search wich gives me two field Name and Category (there is always 1 value in each of them).
Then I want to append lookup file which containes dozens vales like this from my previous question.
(So Name is f.e "aa bbb c d e f g" as Name and Category (with 1 value).
And the problems is that how format each multiplevalue field to (mv="aa" OR mv="bbb" OR mv="c" OR mv="d" ... )
I guess that regex wil be the solution, but I am still wondering hot to manage that.
Finally I want to have Name like before to use it as token in different searches, and Category to put it in dropdown as a fieldForLabel.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a new question, give EXAMPLE EVENTS, and a MOCKUP of DESIRED SOLUTION.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ROFL. That's how to teach someone to fish. Here- throw this hook with a cricket over there and see what happens. Now try it under that log with this worm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right, I didn't explained it well (I was in a hurry) BUT You managed to help me anyway!
Thank You!
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
