- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to create a multivalue field out of...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to create a multivalue field out of fieldnames with a specific pattern
Hi,
is it possible to create a multivalue field out of fieldnames with a specific pattern?
Let's say we have several product fields in an event:
productA=20
productB=50
productC=100
...
Can we create a multivalue field that includes all fieldnames that start with "product"?
mv_field={productA productB productC}
Cheers
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that your original fields are not multi-valued fields, then like this:
index=_*
| stats count by date_second
| eval date_second = "product" . date_second
| head 5
| eval anchor="X"
| xyseries anchor date_second count
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval mvfield=","
| foreach product* [ eval mvfield = mvfield . $<<FIELD>>$ . "," ]
| makemv delim="," mvfield
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If would be better if you provided some sample events. Based on the details in the question you can try the following rex command with max_match=0. Following is the run-anywhere search:
| makeresults
| eval _raw="productA=20
productB=50
productC=100"
| rex field=_raw "(?<product>product[^=]+)=(?<qty>.*)" max_match=0
Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the part of a sample event. Seems to make a difference
payload: { [-]
consumablesUsed: { [-]
Consumable_Grenade: 0
Consumable_Healthpack: 0
}
So the mv should include every fieldname that starts with payload.consumablesUsed.Consumable_
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the following:
| rex field=_raw "Consumable_(?<product>[^:]+):\s(?<qty>\d+)" max_match=0
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you have mentioned, payload.consumablesUsed.Consumable_, do you already have JSON data parsed and fields extracted?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes.
the example mentioned above does not work on my side
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about the updated rex command with Consumable_ for pattern matching? I tested with your sample data and it worked for me.
| makeresults
| eval _raw="payload: {
consumablesUsed: {
Consumable_Grenade: 0
Consumable_Healthpack: 0
}"
| rex field=_raw "Consumable_(?<product>[^:]+):\s(?<qty>\d+)" max_match=0
However, if you already have JSON fields extracted using KV_MODE, you can try the following in your base search
<YourBaseSearch>
| table payload.consumablesUsed.Consumable_*
| transpose column_name="product"
| rename "row 1" as quantity
| makeresults | eval message= "Happy Splunking!!!"
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
