Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Split array into multiple lines

makragic
New Member
‎08-15-2019 05:03 AM

I have event that looks like this:

field1: field1_value
field2: field2_value      
messages: [
 {
  inner_field1:  msg1_field1    
  inner_field2: mgs1_field2
  inner_field3: msg1_field3 
  inner_field4: msg1_field4 
 },
 {
  inner_field1: msg2_field1 
  inner_field2: msg2_field2
  inner_field3: msg2_field3 
  inner_field4: msg2_field4
 }
]}

I want create a table that has this structure:

| field1 | field2 | inner_field1 | inner_field2 | inner_field3 | inner_field 4 |
| ------------- |------------------| --------------| -------------| -------------| --------------|
| field1_value | field2_value | msf1_field1 | msg1_field2 | msg1_field3 | msg1_field4 |
| field1_value | field2_value | msg2_field1 | msg2_field2 | msg2_field3 | msg2_field4 |

Does anyone know how to do this?

0 Karma
Reply

somesoni2
Revered Legend
‎08-15-2019 07:22 AM

Give this a try. We're assuming that field names in array messages and outside array are different. If there are more number of fields in the arrya, you'd need to adjust the eval temp command and the rex command.

your base search
| table field1 field2 messages{}.*
| rename messages{}.* as *
| eval temp=mvzip('inner_field1',mvzip('inner_field2',mvzip('inner_field3','inner_field4',"##"),"##"),"##")
| table field1 field2 temp
| mvexpand temp
| rex field=temp "(?<inner_field1>.+)##(?<inner_field2>.+)##(?<inner_field3>.+)##(?<inner_field4>.+)" | fields - temp
0 Karma
Reply

makragic
New Member
‎08-15-2019 11:42 AM

Can you explain to me what ## mean?

I actually did something similar today myself, after mvexpand I did makemv temp delim="," and then used eval with mvindex.

0 Karma
Reply

Sukisen1981
Champion
‎08-15-2019 06:37 AM

hi @makragic
does your values of inner field always have 2 sets in one event or can they be more?
inner_field1 occurs 2 times in this array can it occur more than twice?

0 Karma
Reply

makragic
New Member
‎08-15-2019 11:39 AM

Messages can have any amount of entries, however, each message always has 4 fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...