Splunk Search

Change multivalue field to strings

Accak
Path Finder

I have table like tis
name | Category
"one; one two; bla trhree aaa bbb; ddddd eeeee aaaaaa; wwww" | Category1
"one; bla wwww; eeee; bbb zzzzz" | Category2
"one" | Category3

Now I have multivalue Field in dashboard, where I want to put query like ( for Category1)

  search name  ="one" or "one two" or "bla trhree aaa bbb" or "ddddd eeeee aaaaa" or "wwww" 

based on Category.
I tried to replace ";" by "OR" :

eval Ids = replace(Ids , ";", " OR ")

But, it gives me:
one OR one two OR bla trhree aaa bbb OR ddddd eeeee aaaaaa OR wwww
And I want to have :
"one" OR "one two" OR "bla trhree aaa bbb" OR "ddddd eeeee aaaaaa" OR "wwww"
What should I use to treat it like string, not separated values?

0 Karma
1 Solution

woodcock
Esteemed Legend

Your explanation is VERY confusing but I am pretty sure that you can do what you need with one of these examples:

To create a test mv field:

| makeresults | eval mv="a b c d e f g" | table mv | makemv mv

Now look what adding this does:

| format

Now look what adding this does:

| format "" "" "" "" "" ""

Now look what adding this does:

| rex field=mv mode=sed "s/$/ OR/"
| nomv mv
| rex field=mv mode=sed "s/^/(/ s/OR$/)/"

That should give you the building blocks to do what you need.

View solution in original post

woodcock
Esteemed Legend

Your explanation is VERY confusing but I am pretty sure that you can do what you need with one of these examples:

To create a test mv field:

| makeresults | eval mv="a b c d e f g" | table mv | makemv mv

Now look what adding this does:

| format

Now look what adding this does:

| format "" "" "" "" "" ""

Now look what adding this does:

| rex field=mv mode=sed "s/$/ OR/"
| nomv mv
| rex field=mv mode=sed "s/^/(/ s/OR$/)/"

That should give you the building blocks to do what you need.

Accak
Path Finder

Ok, it helped, but I have next problem.
Basically I have search wich gives me two field Name and Category (there is always 1 value in each of them).
Then I want to append lookup file which containes dozens vales like this from my previous question.
(So Name is f.e "aa bbb c d e f g" as Name and Category (with 1 value).
And the problems is that how format each multiplevalue field to (mv="aa" OR mv="bbb" OR mv="c" OR mv="d" ... )
I guess that regex wil be the solution, but I am still wondering hot to manage that.
Finally I want to have Name like before to use it as token in different searches, and Category to put it in dropdown as a fieldForLabel.
Any ideas?

0 Karma

woodcock
Esteemed Legend

Create a new question, give EXAMPLE EVENTS, and a MOCKUP of DESIRED SOLUTION.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

ROFL. That's how to teach someone to fish. Here- throw this hook with a cricket over there and see what happens. Now try it under that log with this worm.

0 Karma

Accak
Path Finder

You are right, I didn't explained it well (I was in a hurry) BUT You managed to help me anyway!
Thank You!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...