Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I split similar fields into multiple related events?

pwild_splunk
Splunk Employee
Splunk Employee
‎06-30-2018 08:12 PM

I have some events like this. Wifi AP and DEVICE connected to it. A one to many AP to DEVICE relationship exists

AP,DEVICE
---------------
A1,D1
A3,D2
A3,D3
A3,D4
A4,D5
A5,D6
A5,D7

I need to reformat this data to be like this:

tuple,D
-----------
1,A1
1,D1
2,A3
2,D2
3,A3
3,D3
4,A3
4,D4
5,A4
5,D5
6,A5
6,D6
7,A5
7,D7

Is there a cleaner way of doing this than below?

search cmd
| streamstats count as tuple
| eval point="1,2"
| makemv delim="," point
| mvexpand point
| eval D=if(point=1,AD,DEVICE)
|  table  tuple D

This is so I can use the Map+ vis to draw lines between these connected devices.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-30-2018 08:19 PM

@pwild - you have it exactly right.

You can replace this...

| eval point="1,2"
| makemv delim="," point

...with this...

| eval point=mvrange(1,3)

...but that's about the only change that makes it any more elegant. Everything else you can do is just rearranging furniture.

Oh, wait...

 search cmd
 | streamstats count as tuple
 | eval D=mvappend(AD,DEVICE)
 | mvexpand D
 | table tuple D

Yeah, that's clearly more elegant.

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-30-2018 08:19 PM

@pwild - you have it exactly right.

You can replace this...

| eval point="1,2"
| makemv delim="," point

...with this...

| eval point=mvrange(1,3)

...but that's about the only change that makes it any more elegant. Everything else you can do is just rearranging furniture.

Oh, wait...

 search cmd
 | streamstats count as tuple
 | eval D=mvappend(AD,DEVICE)
 | mvexpand D
 | table tuple D

Yeah, that's clearly more elegant.

Reply
Solved! Jump to solution

pwild_splunk
Splunk Employee
Splunk Employee
‎06-30-2018 08:26 PM

Thanks for such a quick response!

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...